如何通过用户的凭证来访问AD FS索赔？ [英] How to access AD FS claims by User's credential?

问题描述

由于我开发一个WCF的Web服务，使用户的登录操作，其Active Directory的角色和权限之间的中间人。我不希望我的主机应用程序直接与AD FS。我想任何主机应用程序使用我的web服务，它会提供给凭证的基础上，必要的信息。

As I am developing a WCF web service to make an intermediator between user's login action and their active directory roles and permissions. I don't want my host application to directly talk to AD FS. I want any host application to use my web service and it will provided necessary information on the basis of given credential.

在我的网站的方法我需要从AD FS索赔（WIF）通过用户的登录凭据。

In my web method I need to get claims from AD FS (WIF) by user's login credentials.

我的Web方法有两个输入参数，该窗口用户的电子邮件ID / Windows帐户名和密码。

My web method will have two input parameters, the Window User's Email Id / Windows Account Name and the Password.

所以，我要访问由给定用户的凭据我的Web方法AD FS的要求。

So, I want to access AD FS claims in my web method by given user's credential.

我该如何获得由给定用户的凭证AD FS索赔？

How would I get AD FS claims by given user's credential?

推荐答案

您可以从ADFS要求DisplayTokem并与工作，它基本上你在令牌具有相同的信息。

You could request a DisplayTokem from the ADFS and work with that, it's basically the same information you have in the token.

public DisplayClaimCollection GetDisplayClaims(string username, string password)
        {
            WSTrustChannelFactory factory = null;
            try
            {

                // use a UserName Trust Binding for username authentication
                factory = new WSTrustChannelFactory(
                    new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    "https://.../adfs/services/trust/13/usernamemixed");

                factory.TrustVersion = TrustVersion.WSTrust13;


                factory.Credentials.UserName.UserName = username;
                factory.Credentials.UserName.Password = password;


                var rst = new RequestSecurityToken
                              {
                                  RequestType = RequestTypes.Issue,
                                  AppliesTo = "Relying party endpoint address",
                                  KeyType = KeyTypes.Symmetric,
                                  RequestDisplayToken = true
                              };

                IWSTrustChannelContract channel = factory.CreateChannel();
                RequestSecurityTokenResponse rstr;
                SecurityToken token = channel.Issue(rst, out rstr);

                return rstr.RequestedDisplayToken.DisplayClaims;
            }
            finally
            {
                if (factory != null)
                {
                    try
                    {
                        factory.Close();
                    }
                    catch (CommunicationObjectFaultedException)
                    {
                        factory.Abort();
                    }
                }
            }
        }

不过，这是不是这样做的正确方法！
你应该用你RelyingParty证书解密加密令牌和读取的索赔。

But this is not the proper way of doing it! You should use your RelyingParty certificate to decrypt the encrypted token and read the claims from it.

这篇关于如何通过用户的凭证来访问AD FS索赔？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！