stackoom
  简体   繁体   中英

WIF, Federation and STS

 原文  2012-05-15 09:53:06       wif/ federation

Question

In order to prepare my application to use ADFS I have to work with federation now we have a solution with a server with federated services using WIF for security, whe have a client consuming this services and we have and STS wich taken a usename password for identifying the user.

Everything work fine, all my claims are generated correctly and I can use them in my applcation.

Now we must use ADFS in addition of our Internal IdentityProvider, I'd just take my sts and divide it between two parts, a "federation provider" called by client and trusted by server and a part in charge of authentication For this I just add following code in my CustomSecurityTokenHandler in FederationProvider 

UserNameSecurityToken userNameTokenFromRP = token as UserNameSecurityToken;
WSTrustChannelFactory stsClient = new WSTrustChannelFactory("IdentityConfiguration");
stsClient.Credentials.UserName.UserName = userNameTokenFromRP.UserName;
stsClient.Credentials.UserName.Password = userNameTokenFromRP.Password;

IWSTrustChannelContract stsProxy = stsClient.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue, WSTrust13Constants.KeyTypes.Symmetric);
rst.AppliesTo = new System.ServiceModel.EndpointAddress("http://localhost:8010/FederationProvider.svc");
rst.Claims.Add(new RequestClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", false));
rst.Issuer = new System.ServiceModel.EndpointAddress("http://localhost:8020/IdentityProvider.svc");
rst.Lifetime = new Lifetime(DateTime.Now, DateTime.Now + new TimeSpan(0, 30, 0));
rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.OasisWssSaml11TokenProfile11;
RequestSecurityTokenResponse rstr;
var stsToken = stsProxy.Issue(rst, out rstr);

and this in my Web.config file: 

<client>
  <endpoint name="IdentityConfiguration" address="http://localhost:8020/IdentityProvider.svc"
    binding="ws2007HttpBinding" bindingConfiguration="SecurityTokenBinding"
    contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract">
    <identity>
      <certificate encodedValue="MyEncodedValue" />
    </identity>
  </endpoint>
</client>

On identity side I continue generate my claims the same way I did before The problem I have is in my RSTR the token is null and tokenXML is encrypted, I don't understand how to use federation in this case?

If someone can help me?

thanks for reading me

Ange

1 answers

solution1
 0  2012-05-16 08:08:49

Finally, I've understand what is missing

I have to create a security token handler and a Token resolver 

            GenericXmlSecurityToken augmentedToken = (GenericXmlSecurityToken) stsToken;
            var tokenReader = new StringReader(augmentedToken.TokenXml.OuterXml);
            var reader = XmlReader.Create(tokenReader);

            SecurityTokenHandlerCollection handlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
            X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);
            X509Certificate2Collection certificates = store.Certificates;
            X509Certificate2 certificate = certificates.Find(X509FindType.FindByThumbprint, "MyThumbprint", true)[0];

            List<SecurityToken> serviceTokens = new List<SecurityToken>();
            serviceTokens.Add(new X509SecurityToken(certificate));
            SecurityTokenResolver serviceResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false);
            handlers.Configuration.ServiceTokenResolver = serviceResolver;
            handlers.Configuration.AudienceRestriction.AllowedAudienceUris.
            Add(new Uri("http://localhost:8010/FederationProvider.svc"));
            var registry = new ConfigurationBasedIssuerNameRegistry();
            registry.AddTrustedIssuer("Thumbprint", "http://localhost:8020/IdentityProvider.svc");
            handlers.Configuration.IssuerNameRegistry = registry;

            var samlToken = handlers.ReadToken(reader);
            IClaimsIdentity identity = handlers.ValidateToken(samlToken)[0];

it works fine and code's coming from alexthissen

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Where Federation authentication token is saved [WIF STS]? What's the difference between ADFS, WIF, WS Federation, SAML, and STS? Active and Passive Federation in WIF WIF with multiple STS's Confused about STS and WIF WIF, STS and Membership tables WIF and passive federation, cookie access Using WIF STS tokens with WCF Getting WIF to work with OpenSSO as STS WIF federation and domain : never enter into custom SecurityTokenHandler
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM