创建自定义SAML令牌 [英] Creating custom SAML token

问题描述

我需要使用自定义数据创建SAML令牌。

I need to create SAML token with custom data.

MSDN ，但未编译...。

有人听说过工作样本吗？

Have anybody got smt to read about it of working sample?

还是只是向断言集合添加新的主张？
我需要在federationmetadata中描述它们吗？
我应该怎么办？
很高兴看到任何帮助。

Or is just adding new claims to Assertion collection? Do i need to describe them in federationmetadata? What other issues should i do? Would be glad to see any help.

推荐答案

我记得其中一个自定义SAML令牌生成代码ACS样本。那将是一个很好的起点。您可以在此处下载它，查找OAuth2CertificateSample，SelfSignedSaml2TokenGenerator.cs。代码如下所示：

I remember there's some custom SAML token generation code in one of the ACS samples. That would be a good place to start. You can download it here, look for the OAuth2CertificateSample, SelfSignedSaml2TokenGenerator.cs. The code looks like this:

/// <summary>
/// Creates a SAML assertion signed with the given certificate.
/// </summary>
public static Saml2SecurityToken GetSamlAssertionSignedWithCertificate(String nameIdentifierClaim, byte[] certificateWithPrivateKeyRawBytes, string password)
{
    string acsUrl = string.Format(CultureInfo.InvariantCulture, "https://{0}.{1}", SamplesConfiguration.ServiceNamespace, SamplesConfiguration.AcsHostUrl);

    Saml2Assertion assertion = new Saml2Assertion(new Saml2NameIdentifier(nameIdentifierClaim));

    Saml2Conditions conditions = new Saml2Conditions();
    conditions.NotBefore = DateTime.UtcNow;
    conditions.NotOnOrAfter = DateTime.MaxValue;
    conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(acsUrl, UriKind.RelativeOrAbsolute)));
    assertion.Conditions = conditions;

    Saml2Subject subject = new Saml2Subject();
    subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer));
    subject.NameId = new Saml2NameIdentifier(nameIdentifierClaim);
    assertion.Subject = subject;

    X509SigningCredentials clientSigningCredentials = new X509SigningCredentials(
            new X509Certificate2(certificateWithPrivateKeyRawBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));

    assertion.SigningCredentials = clientSigningCredentials;

    return new Saml2SecurityToken(assertion);
}

此外，身份验证过程不需要在联邦中描述已发出的声明元数据。联邦元数据中发布的声明只是令牌消费者的暗示，说明他们应该期望在已发行令牌中找到什么。

Also, the authentication process doesn't require issued claims to be described in federation metadata. The claims published in federation metadata are only hints for the token consumer as to what they should expect to find in the issued token.

这篇关于创建自定义SAML令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！