stackoom
  简体   繁体   中英

How can I generate a SAML Security Token within the same application that consumes it?

 原文  2010-02-12 21:06:00       security/ wif/ geneva-framework/ windows-identity

Question

I've been configuring some of my applications to use the Windows Identity Foundation. I use the passive redirection to get security tokens from a Security Token Service. I accomplished this by inserting WIF code into a logon web site that existed before I started using WIF and then using the "Add STS Reference" within the applications.

However, I have one application that does not use the logon web site. I think that what I would like to do is generate the security token within the application itself without redirecting the user to an external STS.

I tried unsuccessfully to accomplish this by using the ClaimsAuthenticationManager class which can be used to add additional claims to a security token received from an external STS. However, ClaimsAuthenticationManager doesn't work in this context. Instead of calling ClaimsAuthenticationManager only a single time per session ( the expected and desired result ), it gets called on every page load with no sign of the claims that I assigned to the user on the previous page load.

I'm looking at creating an external STS that will give the user the claims from a database, but I see this as being a hazard. There seems to be no reason that I must create a whole separate STS for only a single web site. I would like to just generate the security token within my application.

1 answers

solution1
 -1 ACCPTED  2010-02-19 20:52:01

It is possible to put the Security Token Service class within your own application.

However, in order for the user to be able to access a log-in page in your application before they've obtained the token, you must remove the deny users=? from the Authorization section of web.config. This will allow users to hit your web page with no security token. Once they log in, redirect them to the appropriate page.

This has the disadvantage of not being able to use the convenient passive redirect functionality, but it does work. That means that you must manually redirect users to the log-in page when they try to do something that requires them to be logged in.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How Can I Generate the same key in cryptography How can I generate a limited access API token for SurveyMonkey? Security of signing keys shared between token issuers for the same application How can I fully trust a SAML IDP? Thinktecture - Unable to handle an encrypted SAML security token in Web API How can I implement Nancy.Authentication.Token in a web application? Google indexed my application with the security token. How? How to prevent? How can I make a security token automatically expire in a passive STS setup? How can I generate a “private URL” with state of the art balance between security and convenience? How can I do secure SAML with multiple tenants?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM