stackoom
  简体   繁体   中英

ASP.Net ADFS Token Encryption certificate private key

 原文  2016-03-18 10:50:21       c#/ asp.net/ single-sign-on/ adfs

Question

According to this link https://blogs.technet.microsoft.com/askpfeplat/2015/03/01/adfs-deep-dive-onboarding-applications/

I have set up a token encryption certificate on the relying party, and exported the public key to the ADFS provider

What changes do I need to make in my asp.net web.config to be able to descrypt these claims. I currently use System.Security.Claims.ClaimsPrincipal class to get the claims back

2 answers

solution1
 2 ACCPTED  2016-03-18 17:01:15

Have it working now, for any one else. The following needs to be changed in web.config. Replace XXXX with your certificate thumbprint 

<system.identityModel.services>
    <federationConfiguration>
      <serviceCertificate>
        <certificateReference x509FindType="FindByThumbprint" findValue="XXXX" storeLocation="LocalMachine" storeName="My" />
      </serviceCertificate>
      <cookieHandler requireSsl="false" />
      <wsFederation ... />
    </federationConfiguration>

  </system.identityModel.services>

solution2
 1  2016-03-18 11:26:49

There are quite a lot of changes made to web.config when enabling ADFS as an identity provider. I often find it easier to simply create a new MVC project, and use the change authentication wizard to select ADFS. Once you have entered the details, it will automatically update the web.config with the required settings, which you can then copy to another project.

Below I have attempted to list all the entries that are required, however I may have missed some. 

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  <appSettings>
    <add key="ida:FederationMetadataLocation" value="https://YOURADFS/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:Realm" value="https://YOURURL/" />
    <add key="ida:AudienceUri" value="https://YOURURL/" />
  </appSettings>
  <system.web>
    <machineKey validationKey="YOURMACHINEKEY" decryptionKey="YOURDECRYPTIONKEY" validation="SHA1" decryption="AES" />
  </system.web>
  <system.webServer>
    <modules>
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    </modules>
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://YOURURL/" />
      </audienceUris>
      <securityTokenHandlers>
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="http://YOURADFS/adfs/services/trust">
          <keys>
            <add thumbprint="YOURCERTIFICATETHUMB" />
          </keys>
          <validIssuers>
            <add name="http://YOURADFS/adfs/services/trust" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="true" name="YOURCOOKIENAME" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://YOURADFS/adfs/ls/" realm="https://YOURURL/" requireHttps="true" />
    </federationConfiguration>
  </system.identityModel.services>
</configuration>

You will of course have to replace these values with the corresponding values for your own environment.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ADFS integration certificate error with asp.net ADFS token encryption certificate chain validation fails PRIVATE key encryption in .Net Key encryption in ASP.NET Core .NET Private Key Rsa Encryption Certificate private key permissions in .NET 6 ADFS in asp.net c# Implement ADFS with asp.net roles Handle ADFS Response on ASP.Net core ASP.NET Core 2.0 - which class is used for Email Confirmation Token encryption?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM