[英]ADFS ActAs token missing AuthnStatement
我正在尝试编写一个调用REST服务的Web应用程序。 REST服务需要用户使用OAuth令牌。 使用用户的用户名和密码,我可以获取SAML令牌(下面的第一个断言),OAuth STS可以使用该SAML令牌向我颁发有效的OAuth令牌。 因为我在Web应用程序中,所以我希望使用ActAs SAML令牌,而不是提示输入已经通过域(SSO)进行身份验证的用户的用户名和密码。 当我配置ADFS 2.0发出ActAs令牌(下面的第二个断言)时,它缺少断言的AuthnStatement部分。 OAuth STS对此表示抱怨。 联系他们的支持人员,他们告诉我将ADFS 2.0配置为在断言中包括AuthnStatement,也许使用自定义规则。 两者之间当前ADFS 2.0配置中的唯一区别是“委托授权”选项卡。 代码中的唯一区别是使用了谁的凭据(实际用户还是委派用户)并在RST上设置ActAs属性。
有没有一种方法可以配置ADFS 2.0使其包含此内容? 我认为自定义规则不会带来任何好处,因为自定义规则只会创建更多声明,而AuthnStatement不是声明。
用于创建令牌的代码:
var rst = new RequestSecurityToken
{
RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue",
AppliesTo = new EndpointReference("https://rpserver.mydomain.com/sap/bc/sec/oauth2/token"),
KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer",
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
//commented for actual user and uncommented for ActAs
//the token is from the actual user
//ActAs = new SecurityTokenElement(token)
};
使用实际用户的用户名和密码检索的SAML令牌。
<Assertion ID="_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5" IssueInstant="2014-06-18T12:49:32.815Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
G4LDaRLEEgsKa1/kRwFo+X2BWv0z32Mi0QRym5GlteU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:54:32.815Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:49:32.794Z" NotOnOrAfter="2014-06-18T13:49:32.794Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>
USERIDGOESHERE</AttributeValue>
</Attribute>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2014-06-18T12:49:32.721Z">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
使用委派的通用帐户的用户名和密码检索SAML令牌。
<Assertion ID="_23107d88-d82d-4fa8-b12a-a447aeb6d5f2" IssueInstant="2014-06-18T12:26:03.005Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_23107d88-d82d-4fa8-b12a-a447aeb6d5f2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
sKf+1gtkbA9Hbk3H82j9dXf7zlebd3EOcrqlMyygpoY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:31:03.005Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:26:02.872Z" NotOnOrAfter="2014-06-18T13:26:02.872Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor">
<AttributeValue>
<Actor><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="client_id" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>MLM_MAT_USER</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue a:type="tn:dateTime" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">2014-06-18T12:26:02.681Z</AttributeValue></Attribute></Actor></AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
我直接与Microsoft支持部门联系,这里是措辞。 “这是不可能完成的,而设计使然是不可能的。”
如何将X509SecurityToken用作ActAs令牌并验证调用方是否具有私钥?
[英]How do I use X509SecurityToken as an ActAs token and verify that the caller has the private key?
如何使用ADAL库在ADFS中向身份令牌添加更多声明?
[英]How Do I Add More Claims to the Identity Token in ADFS Using ADAL Libraries?
.NET ADFS声称感知Web应用程序在收到有效令牌时返回到客户端浏览器的cookie是什么?
[英]What cookie does a .NET ADFS claims aware web application return to the client browser on receipt of a valid token?
Amazon SimpleNotificationService请求的令牌丢失
[英]Missing Token for Amazon SimpleNotificationService Request Amazon AWS SDK
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.