如何通过用户的凭证来访问AD FS索赔? [英] How to access AD FS claims by User's credential?
问题描述
由于我开发一个WCF的Web服务,使用户的登录操作,其Active Directory的角色和权限之间的中间人。我不希望我的主机应用程序直接与AD FS。我想任何主机应用程序使用我的web服务,它会提供给凭证的基础上,必要的信息。
As I am developing a WCF web service to make an intermediator between user's login action and their active directory roles and permissions. I don't want my host application to directly talk to AD FS. I want any host application to use my web service and it will provided necessary information on the basis of given credential.
在我的网站的方法我需要从AD FS索赔(WIF)通过用户的登录凭据。
In my web method I need to get claims from AD FS (WIF) by user's login credentials.
我的Web方法有两个输入参数,该窗口用户的电子邮件ID / Windows帐户名和密码。
My web method will have two input parameters, the Window User's Email Id / Windows Account Name and the Password.
所以,我要访问由给定用户的凭据我的Web方法AD FS的要求。
So, I want to access AD FS claims in my web method by given user's credential.
我该如何获得由给定用户的凭证AD FS索赔?
How would I get AD FS claims by given user's credential?
推荐答案
您可以从ADFS要求DisplayTokem并与工作,它基本上你在令牌具有相同的信息。
You could request a DisplayTokem from the ADFS and work with that, it's basically the same information you have in the token.
public DisplayClaimCollection GetDisplayClaims(string username, string password)
{
WSTrustChannelFactory factory = null;
try
{
// use a UserName Trust Binding for username authentication
factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
"https://.../adfs/services/trust/13/usernamemixed");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = username;
factory.Credentials.UserName.Password = password;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = "Relying party endpoint address",
KeyType = KeyTypes.Symmetric,
RequestDisplayToken = true
};
IWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityTokenResponse rstr;
SecurityToken token = channel.Issue(rst, out rstr);
return rstr.RequestedDisplayToken.DisplayClaims;
}
finally
{
if (factory != null)
{
try
{
factory.Close();
}
catch (CommunicationObjectFaultedException)
{
factory.Abort();
}
}
}
}
不过,这是不是这样做的正确方法!
你应该用你RelyingParty证书解密加密令牌和读取的索赔。
But this is not the proper way of doing it! You should use your RelyingParty certificate to decrypt the encrypted token and read the claims from it.
这篇关于如何通过用户的凭证来访问AD FS索赔?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!