客户端请求中的SAML令牌后需要签名 [英] Need signature after SAML token in client request

问题描述

我有一个序列化的SOAP请求消息，该消息带有针对供应商服务的SAML令牌密钥持有者.我想用C#创建一个演示程序以产生类似的请求.为此，我想编写一个创建自己的SAML令牌的客户端.

I have a serialized SOAP request message with a SAML token holder-of-key that works against a vendor service. I want to create a demonstration program in C# to produce a similar request. To do this, I want to write a client that creates its own SAML token.

我已经通过自签名证书成功创建了SAML2令牌，并且能够使用ChannelFactoryOperations.CreateChannelWithIssuedToken方法(.Net 4.0)将其与请求关联.一切工作都很好，但是我无法弄清楚将签名放置在断言之后并使用SAML令牌作为签名KeyIdentifier来签名时间戳所需的C#.我什至不确定我要问的是什么，但是令牌本身后面的签名似乎应该很容易.但是，让SAML出现在请求中的唯一方法是将其声明为BearerKey类型.但是BearerKey似乎在断言之后忽略了签名.似乎我想要SymmetricKey，但是令牌没有密钥".断言后如何使这样的签名元素出现?

I've got a SAML2 token created successfully from a self signed cert and I am able to associate it to the request using the ChannelFactoryOperations.CreateChannelWithIssuedToken approach (.Net 4.0). Everything is working great but I can't figure out the C# required to place the signature after the assertion and use the SAML token as the signature KeyIdentifier to sign the timestamp. I'm not even sure what I am asking, but it seems like the signature after the token itself should be the easy part. But, the only way I've gotten the SAML to come out in the request is by declaring it of type BearerKey. But BearerKey appears to omit the signature after the Assertion. It seems I want SymmetricKey, but the token "has no keys." How do I make a signature element like this appear after the Assertion?

此处URI ="#_ 1"指的是上面的WS-Security时间戳(未显示).

Here URI="#_1" is referring to the WS-Security timestamp (not shown) above.

推荐答案

大家好，我不敢相信我终于弄明白了这一切.此代码加载自签名证书，生成SAML令牌，然后使用SAML令牌认可消息.我遇到的问题是令牌没有钥匙"错误.通过创建一个issuerToken和一个密钥并将其传递给令牌构造器可以解决该问题.见下文.我认为我在网上找到的最有帮助的信息是这篇很棒的帖子，在这里 http://devproconnections.com/development/generating-saml-tokens-wif-part-2

Hi folks I can't believe I finally figured all of this out. This code loads up a self signed cert, generates a SAML token and then endorses the message with the SAML token. The problem I was having was with the "token has no keys" error. That was solved by creating an issuerToken and a key and passing that in to the token constructor. See below. I think the most helpful information I found online is this great post here http://devproconnections.com/development/generating-saml-tokens-wif-part-2

        X509Certificate2 cert = new X509Certificate2("C:\\Users\\foobar\\desktop\\test.pfx", "test", X509KeyStorageFlags.MachineKeySet);
        RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;
        RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);
        RsaKeyIdentifierClause rsaClause = new RsaKeyIdentifierClause(rsa);
        SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause });
        SigningCredentials signingCredentials = new SigningCredentials(rsaKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, signingSki);
        Saml2NameIdentifier saml2NameIdentifier = new Saml2NameIdentifier("C=US,O=hi mom,CN=test", new System.Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"));
        Saml2Assertion saml2Assertion2 = new Saml2Assertion(saml2NameIdentifier);
        saml2Assertion2.SigningCredentials = signingCredentials;
        Saml2Subject saml2Subject = new Saml2Subject();
        saml2NameIdentifier = new Saml2NameIdentifier("foo@bar.edu", new System.Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"));
        saml2Subject.NameId = saml2NameIdentifier;
        Saml2SubjectConfirmationData subjectConfirmationData = new Saml2SubjectConfirmationData();
        Saml2SubjectConfirmation subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
        subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
        subjectConfirmationData.KeyIdentifiers.Add(signingSki);
        saml2Subject.SubjectConfirmations.Add(subjectConfirmation);
        saml2Assertion2.Subject = saml2Subject;
        Saml2AuthenticationContext saml2AuthCtxt = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:X509"));
        Saml2AuthenticationStatement saml2AuthStatement = new Saml2AuthenticationStatement(saml2AuthCtxt);
        saml2AuthStatement.SessionIndex = "123456";
        saml2Assertion2.Statements.Add(saml2AuthStatement);
        Saml2AttributeStatement saml2AttStatement = new Saml2AttributeStatement();
        Saml2Attribute saml2Attribute = new Saml2Attribute("urn:oasis:names:tc:xspa:1.0:subject:subject-id", "foo bar test");
        saml2AttStatement.Attributes.Add(saml2Attribute);
        saml2Attribute = new Saml2Attribute("urn:oasis:names:tc:xspa:1.0:subject:organization", "urn:oid:"+senderOid);
        saml2AttStatement.Attributes.Add(saml2Attribute);
        saml2Attribute = new Saml2Attribute("urn:oasis:names:tc:xspa:1.0:subject:organization-id", "urn:oid:" + senderOid);
        saml2AttStatement.Attributes.Add(saml2Attribute);
        saml2Attribute = new Saml2Attribute("urn:nhin:names:saml:homeCommunityId", "urn:oid:" + senderOid);
        saml2AttStatement.Attributes.Add(saml2Attribute);
        saml2Attribute = new Saml2Attribute("urn:oasis:names:tc:xacml:2.0:subject:role");
        saml2AttStatement.Attributes.Add(saml2Attribute);
        saml2Assertion2.Statements.Add(saml2AttStatement);
        List<SecurityKey> keyList = new List<SecurityKey>();
        keyList.Add(rsaKey);
        ReadOnlyCollection<SecurityKey> keys = new ReadOnlyCollection<SecurityKey>(keyList);
        X509SecurityToken issuerToken = new X509SecurityToken(cert);
        Saml2SecurityToken token2 = new Saml2SecurityToken(saml2Assertion2,keys,issuerToken);
        XcpdRespondingGatewaySyncService.RespondingGatewaySyncClient myClient = new XcpdRespondingGatewaySyncService.RespondingGatewaySyncClient("IRespondingGatewaySync2");   
        CustomBinding customBinding = myClient.Endpoint.Binding as CustomBinding;
        SecurityBindingElement element = customBinding.Elements.Find<SecurityBindingElement>();
        IssuedSecurityTokenParameters tokenParameters = element.EndpointSupportingTokenParameters.Signed[0].Clone() as IssuedSecurityTokenParameters;
        tokenParameters.TokenType = System.IdentityModel.Tokens.SecurityTokenTypes.Saml;
        tokenParameters.RequireDerivedKeys = false;
        tokenParameters.KeyType = SecurityKeyType.SymmetricKey;
        element.EndpointSupportingTokenParameters.Signed.Clear();
        element.EndpointSupportingTokenParameters.Endorsing.Add(tokenParameters);
        myClient.ChannelFactory.Credentials.SupportInteractive = false;
        myClient.ChannelFactory.ConfigureChannelFactory();
        XcpdRespondingGatewaySyncService.IRespondingGatewaySync myChannel = ChannelFactoryOperations.CreateChannelWithIssuedToken(myClient.ChannelFactory, token2); 

这篇关于客户端请求中的SAML令牌后需要签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！