wcf - 如何配置 WCF 以将 URN 格式的自定义领域与 Azure ACS 结合使用?

标签 wcf azure wif federated-identity acs

如何使用 ACS 对我的内部托管 WCF 服务进行 WCF 客户端身份验证?问题围绕设置自定义领域(我不知道如何设置。)

我的 ACS 配置类似于 the ACS Samples然而,“领域”的定义如下所示。

摘自 Azure ACS 配置页面

<小时/>

realm definition

<小时/>

客户端代码

      EndpointAddress serviceEndpointAddress = new EndpointAddress( new Uri( "http://localhost:7000/Service/Default.aspx"),  
                                                                      EndpointIdentity.CreateDnsIdentity( GetServiceCertificateSubjectName() ),
                                                                      new AddressHeaderCollection() );

        ChannelFactory<IStringService> stringServiceFactory = new ChannelFactory<IStringService>(Bindings.CreateServiceBinding("https://agent7.accesscontrol.appfabriclabs.com/v2/wstrust/13/certificate"), serviceEndpointAddress );

        // Set the service credentials.
        stringServiceFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        stringServiceFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();

        // Set the client credentials.
        stringServiceFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();

服务器端代码

 string acsCertificateEndpoint = String.Format( "https://{0}.{1}/v2/wstrust/13/certificate", AccessControlNamespace, AccessControlHostName );

        ServiceHost rpHost = new ServiceHost( typeof( StringService ) );

        rpHost.Credentials.ServiceCertificate.Certificate = GetServiceCertificateWithPrivateKey();

        rpHost.AddServiceEndpoint( typeof( IStringService ),
                                   Bindings.CreateServiceBinding( acsCertificateEndpoint ),
                                   "http://localhost:7000/Service/Default.aspx"
                                   );

        //
        // This must be called after all WCF settings are set on the service host so the
        // Windows Identity Foundation token handlers can pick up the relevant settings.
        //
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

        // Accept ACS signing certificate as Issuer.
        serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry( GetAcsSigningCertificate().SubjectName.Name );

        // Add the SAML 2.0 token handler.
        serviceConfiguration.SecurityTokenHandlers.AddOrReplace( new Saml2SecurityTokenHandler() );

        // Add the address of this service to the allowed audiences.
        serviceConfiguration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add( new Uri( "urn:federation:customer:222:agent:11") );

        FederatedServiceCredentials.ConfigureServiceHost( rpHost, serviceConfiguration );

        return rpHost;

...其中 urn:federation:customer:222:agent:11 是依赖方 ID

... 和 http://localhost:7000/Service/Default.aspx 是我希望在进行 ACS 身份验证后将上述 WCF/WIF 客户端绑定(bind)到的位置。

问题

如何编辑上面的代码,以便客户端和服务器都针对特定端口 (localhost:700) 以及 urn:federation:customer:222:agent:11 领域进行操作

我认为我的服务器代码是正确的;但是如何在客户端设置 AudienceRestriction

最佳答案

您的服务器端代码看起来不错,但 Sixto 关于标准 channel 工厂的说法是正确的。幸运的是,您可以使用 WSTrustChannelFactory 自行向 ACS 请求安全 token 。在您的示例上下文中,您的代码将如下所示:

//
// Get the token from ACS
//
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
    Bindings.CreateAcsCertificateBinding(),
    new EndpointAddress( acsCertificateEndpoint ) );
trustChannelFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();

RequestSecurityToken rst = new RequestSecurityToken()
{
    RequestType = RequestTypes.Issue,
    AppliesTo = new EndpointAddress( new Uri( "urn:federation:customer:222:agent:11" ) ),
    KeyType = KeyTypes.Symmetric
};

WSTrustChannel wsTrustChannel = (WSTrustChannel)trustChannelFactory.CreateChannel();
SecurityToken token = wsTrustChannel.Issue( rst );

//
// Call StringService, authenticating with the retrieved token
//
WS2007FederationHttpBinding binding = new WS2007FederationHttpBinding( WSFederationHttpSecurityMode.Message );
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.NegotiateServiceCredential = false;

ChannelFactory<IStringService> factory = new ChannelFactory<IStringService>(
    binding,
    new EndpointAddress(
            new Uri( ServiceAddress ),
            EndpointIdentity.CreateDnsIdentity(GetServiceCertificateSubjectName()) ) );
factory.ConfigureChannelFactory<IStringService>();
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();

IStringService channel = factory.CreateChannelWithIssuedToken<IStringService>( token );
string reversedString = channel.Reverse( "string to reverse" );

关于wcf - 如何配置 WCF 以将 URN 格式的自定义领域与 Azure ACS 结合使用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5598388/

上一篇:asp.net-mvc - 干燥 ASP.NET MVC 操作 : ApplicationController or Service?

下一篇:wcf - 使用故障时如何从 suds 客户端获取 http 响应代码

相关文章:

c# - 来自 CreateChannelWithIssuedToken 的 WCF channel 仍在发送 'requestsecuritytoken' 请求

c# - 防止未使用的属性从对象传递的最佳方法

wcf - 使用 WCF 包装现有的连接流

c# - WCF 服务中未定义的枚举值

c# - Azure APIM URL 抛出 System.Net.WebException - SSL/TLS 如何在 azure web api 和 azure APIM 中产生差异?

mysql - 如何在不使用 .net 工具的情况下将 mysql 数据库导入 Azure sql

azure - Azure 移动应用程序没有应用程序 key - 什么是简单的替代方案?

C# - 如何解析 http header multipart

c# - 如何加密 JWT 安全 token ?

wif - 使用 Windows Identity Foundation 进行单点登录

©2024 IT工具网  联系我们