如何配置WCF以使用Azure ACS的URN格式的自定义Realm?

如何使用ACS对我的内部托管的WCF服务进行WCF客户端身份验证?问题围绕设置自定义Realm(我无法弄清楚如何设置)。 我的ACS配置类似于ACS Samples,但“Realm”的定义如下所示。 摘自Azure ACS配置页面 客户端代码 
      EndpointAddress serviceEndpointAddress = new EndpointAddress( new Uri( "http://localhost:7000/Service/Default.aspx"),  
                                                                      EndpointIdentity.CreateDnsIdentity( GetServiceCertificateSubjectName() ),
                                                                      new AddressHeaderCollection() );

        ChannelFactory<IStringService> stringServiceFactory = new ChannelFactory<IStringService>(Bindings.CreateServiceBinding("https://agent7.accesscontrol.appfabriclabs.com/v2/wstrust/13/certificate"), serviceEndpointAddress );

        // Set the service credentials.
        stringServiceFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        stringServiceFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();

        // Set the client credentials.
        stringServiceFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();
服务器端代码 
 string acsCertificateEndpoint = String.Format( "https://{0}.{1}/v2/wstrust/13/certificate", AccessControlNamespace, AccessControlHostName );

        ServiceHost rpHost = new ServiceHost( typeof( StringService ) );

        rpHost.Credentials.ServiceCertificate.Certificate = GetServiceCertificateWithPrivateKey();

        rpHost.AddServiceEndpoint( typeof( IStringService ),
                                   Bindings.CreateServiceBinding( acsCertificateEndpoint ),
                                   "http://localhost:7000/Service/Default.aspx"
                                   );

        //
        // This must be called after all WCF settings are set on the service host so the
        // Windows Identity Foundation token handlers can pick up the relevant settings.
        //
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

        // Accept ACS signing certificate as Issuer.
        serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry( GetAcsSigningCertificate().SubjectName.Name );

        // Add the SAML 2.0 token handler.
        serviceConfiguration.SecurityTokenHandlers.AddOrReplace( new Saml2SecurityTokenHandler() );

        // Add the address of this service to the allowed audiences.
        serviceConfiguration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add( new Uri( "urn:federation:customer:222:agent:11") );

        FederatedServiceCredentials.ConfigureServiceHost( rpHost, serviceConfiguration );

        return rpHost;
...其中
urn:federation:customer:222:agent:11
是依赖方ID ...和
http://localhost:7000/Service/Default.aspx
是我希望上述WCF / WIF客户端在进行ACS身份验证后绑定到的位置。 题 如何编辑上面的代码,以便客户端和服务器都可以针对某个端口(localhost:700)以及urn领域进行操作:federation:customer:222:agent:11 我想我的服务器代码是正确的;但是如何在客户端设置
AudienceRestriction
?     
2019-11-03 4 条评论
分享

没有找到相关结果

    已邀请:

    导力疵谜

    您的服务器端代码看起来很好,但Sixto对标准渠道工厂是正确的。幸运的是,您可以使用WSTrustChannelFactory自行从ACS请求安全令牌。在您的示例的上下文中,您的代码将如下所示: 
    //
// Get the token from ACS
//
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
    Bindings.CreateAcsCertificateBinding(),
    new EndpointAddress( acsCertificateEndpoint ) );
trustChannelFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();

RequestSecurityToken rst = new RequestSecurityToken()
{
    RequestType = RequestTypes.Issue,
    AppliesTo = new EndpointAddress( new Uri( "urn:federation:customer:222:agent:11" ) ),
    KeyType = KeyTypes.Symmetric
};

WSTrustChannel wsTrustChannel = (WSTrustChannel)trustChannelFactory.CreateChannel();
SecurityToken token = wsTrustChannel.Issue( rst );

//
// Call StringService, authenticating with the retrieved token
//
WS2007FederationHttpBinding binding = new WS2007FederationHttpBinding( WSFederationHttpSecurityMode.Message );
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.NegotiateServiceCredential = false;

ChannelFactory<IStringService> factory = new ChannelFactory<IStringService>(
    binding,
    new EndpointAddress(
            new Uri( ServiceAddress ),
            EndpointIdentity.CreateDnsIdentity(GetServiceCertificateSubjectName()) ) );
factory.ConfigureChannelFactory<IStringService>();
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();

IStringService channel = factory.CreateChannelWithIssuedToken<IStringService>( token );
string reversedString = channel.Reverse( "string to reverse" );
        
    2019-11-03 0 0
    分享

    械怒等

    有些答案可能比从来没有好过。我一直无法找到任何关于以这种方式使用WCF的官方文档,但是在阅读WS-Trust论文和MSDN配置文档时,我提出了以下解决方案似乎有效。 从服务消费客户端的配置
    configuration/system.serviceModel/bindings/ws2007FederationHttpbinding/binding/security/message
    。它会覆盖令牌请求消息的
    AppliesTo
    元素。 
    <tokenRequestParameters>
  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
      <Address>urn:x-Organization:Testing</Address>
    </EndpointReference>
  </wsp:AppliesTo>
</tokenRequestParameters>
    在服务配置中添加相同的代码段将导致服务引用实用程序将其包含在服务客户端的
    trust:SecondaryParameters
    元素中。必须将其移动到父
    tokenRequestParameters
    元素才能正常工作。     
    2019-11-03 0 0
    分享

    哭木算

    实际上没有尝试过这篇MSDN文章中引用的方法,但是从阅读它看起来听起来像标准频道工厂没有正确的钩子来做你想要的。 WSTrustChannelFactory专为WIF&amp; SAML,但我不熟悉ACS以确定它是否适用。这个由六部分组成的系列文章也可能值得仔细阅读。     
    2019-11-03 0 0
    分享
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    或代码 OrCode.com 备案号:粤ICP备15020848号-1
    Escape time: 0.035254001617432