stackoom
  简体   繁体   中英

When trying to deserialize SAML tokens, can I read an SSL Cert from file instead of Certificate store

 原文  2011-03-28 00:25:56       ssl/ wif

Question

I would like to something like this: 

<microsoft.identityModel>
    <service>
      <serviceCertificate>
        <certificateReference filename="App_Data/my.domain.com.crt" />
      </serviceCertificate>
    </service>
</microsoft.identityModel>

3 answers

solution1
 1  2011-03-28 01:02:07

According to the Documentation , no. To decrypt a SAML token, WIF needs access to a certificate's private key. By placing the certificate and it's private key on the filesystem (especially under a folder managed by IIS - regardless of the protections offered) is generally a Bad Idea(tm). By placing the cert in the certificate store, you can much more tightly control and manage access to the certificate.

solution2
 1  2011-03-28 02:34:47

You can, but as Bobby suggests you are better off with the cert being installed on the mahcine store. In fact, this was a workaround when deploying applications using WIF on Windows Azure when it didn't support uploding certificates. That limitation is long gone.

solution3
 0 ACCPTED  2011-03-28 17:11:08

I figured it out. Comment out this part in web.config 

  <!--<serviceCertificate>
    <certificateReference x509FindType="FindByThumbprint" findValue="" storeLocation="LocalMachine" storeName="My" />
  </serviceCertificate>-->

Add this code to global.asax 

    protected void Application_Start()
    {
        Microsoft.IdentityModel.Web.FederatedAuthentication.ServiceConfigurationCreated += new EventHandler
            <Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs>(AttachCert);
    }

    protected void AttachCert(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
    {
        var filename = string.Format("{0}\\{1}\\{2}", System.Web.Hosting.HostingEnvironment.ApplicationPhysicalPath, "App_Data\\certificates", "CERTNAME.pfx");
        var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(filename, "YOURPASSWORD");

        var _configuration = e.ServiceConfiguration;
        _configuration.ServiceCertificate = cert;

        var certificates = new List<System.IdentityModel.Tokens.SecurityToken> { new System.IdentityModel.Tokens.X509SecurityToken(
                _configuration.ServiceCertificate) };

        var encryptedSecurityTokenHandler =
                (from handler in _configuration.SecurityTokenHandlers
                 where handler is Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler
                 select handler).First() as Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler;

        _configuration.ServiceTokenResolver = encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
                System.IdentityModel.Selectors.SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I pull the thumbprint out of a SSL certificate FILE (not the windows cert store)? How to read SSL certificate from windows certificate store using Delphi InfluxDB on Docker-Compose can't read SSL cert file Java: read SSL certificate information from Trust Store programmatically SSL Connection after cert removal from store How can I move my SSL cert from Tomcat to Apache ESP32 SSL connection works when CA Certificate is a constant, but not when read from a file How can I fix Error code: SSL_ERROR_BAD_CERT_DOMAIN after installing certificate? Is the SSL Certificate in a web-browser for a web app the same as the SAML 2.0 security cert? How can I redirect from an .app domain (which requires SSL) without setting up SSL cert to a domain with existing SSL cert setup?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM