如何将证书传递给WSTrust以获取Saml令牌
问题描述:
以下是使用WSTrustChannelFactory获取tokem的示例。 From here。如何将证书传递给WSTrust以获取Saml令牌
var stsBinding = new WS2007HttpBinding();
stsBinding.Security.Mode = SecurityMode.TransportWithMessageCredential;
stsBinding.Security.Message.EstablishSecurityContext = false;
stsBinding.Security.Message.NegotiateServiceCredential = false;
stsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
stsBinding
, new EndpointAddress(tokenurl)
);
trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;
X509Store myStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
myStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection coll = myStore.Certificates.Find(X509FindType.FindBySerialNumber, "MycertSerialNumber", true);
X509Certificate2 cert = coll[0];
trustChannelFactory.Credentials.ClientCertificate.Certificate = cert;
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, keyType);
rst.AppliesTo = new EndpointAddress(realm);
RequestSecurityTokenResponse rstr = null;
rst.TokenType = SecurityTokenTypes.Saml;
SecurityToken token = channel.Issue(rst, out rstr);
现在我没有用户名/密码,但提供者给了我证书.pfx文件。 如何将它传递给WSTrushChannelFactory?我试过使用CertificateBinding但没有成功。
更新的代码上面:2014年11月5日:
收到此错误:ID3242:安全令牌无法被验证或授权。
答
使用ClientCertificate属性:
var stsBinding = new WS2007HttpBinding();
stsBinding.Security.Mode = SecurityMode.TransportWithMessageCredential;
stsBinding.Security.Message.EstablishSecurityContext = false;
stsBinding.Security.Message.NegotiateServiceCredential = false;
// select the authentication mode of Client Certificate
stsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
var wifChannelFactory = new WSTrustChannelFactory(stsBinding, stsEndpoint);
wifChannelFactory.TrustVersion = TrustVersion.WSTrust13;
// Supply the credentials
wifChannelFactory.Credentials.ClientCertificate.Certificate = config.Certificate;
的PFX你可以通过certmgr.msc管理单元import to your certificate店。确保您的应用程序运行的帐户为has access to the private key。你可以使用x509certificate2类reference it in the store。
答
你在这里。
private static SecurityToken RequestSecurityToken()
{
// set up the ws-trust channel factory
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(
SecurityMode.TransportWithMessageCredential),
_idpAddress);
factory.TrustVersion = TrustVersion.WSTrust13;
var authCertificate = X509.LocalMachine.My.Thumbprint.Find(Properties.Settings.Default.RassCertificateThumbprint).FirstOrDefault();
if (authCertificate == null)
throw new InternalException(String.Format("No atuhentication certificate found in store with thumbprint {0}.", Properties.Settings.Default.ClientCertificateThumbprint));
// overenie je na zaklade certifikatu RASS
factory.Credentials.ClientCertificate.Certificate = authCertificate;
// create token request
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
AppliesTo = new EndpointReference(_serviceAddress.AbsoluteUri)
};
// request token and return
return factory.CreateChannel().Issue(rst);
}
顺便说一句:@Mitch是正确的访问私钥。我只是采取了你的方法,并更换了几行代码。
米奇,你的建议让我更进一步,比我之前,但现在得到这个错误:ID3242:安全令牌无法验证或授权。 – gbs 2014-11-05 17:08:04
@gbs,我假设你的意思是当你尝试使用你收到的令牌时,你会得到这个错误。 ID3242通常是由于指定了错误的受众uri而导致的。确保你的AppliesTo符合STS的要求,并配置RP接受的内容。另一件事情可能是STS上配置的签名或加密证书与RP不匹配。 – Mitch 2014-11-06 00:07:24
未使用但请求令牌。 STS向我发送那个错误。我已经将它发送给提供商,他们也在研究它。 – gbs 2014-11-06 00:28:43