我一整天都在盯着这一点无济于事,我没有想法. IP-STS处理登录,然后将其传递给RP-STS,RP-STS用声明填充令牌,然后到网站上.这工作正常.我在IP-STS上有一些WCF功能,例如更改密码/重置密码,需要访问它们.阅读后,我应该能够将已经分配的令牌发送到WCF,以确保用户通过身份验证.从我可以看到它发送令牌但不正确,也不是我想要的方式,因为它似乎需要一个用户名.
理想情况下,我希望它获取分配给用户的令牌,而不必重新请求或重新创建任何内容,并且绝对不需要用户名/密码.
我目前得到的错误是:
从另一方收到了不安全或不正确安全的故障.有关错误代码和详细信息,请参阅内部FaultException.
详情:
邮件无法处理.这很可能是因为“http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue”操作不正确,或者因为邮件包含无效或过期的安全上下文令牌,或者因为存在不匹配绑定之间.如果服务由于不活动而中止了通道,则安全上下文令牌将无效.要防止服务中止空闲会话,请过早增加服务端点绑定的接收超时.
这是我的网络配置中的相关位.
客户端web.config
<system.serviceModel> <bindings> <customBinding> <binding name="UsernameBinding"> <security authenticationMode="UserNameForCertificate" requireSecurityContextCancellation ="false" requireSignatureConfirmation="false" messageProtectionorder ="SignBeforeEncryptAndEncryptSignature" requirederivedKeys="true"> </security> <httpTransport/> </binding> </customBinding> <wsFederationHttpBinding> <binding name="HTTPEndpoint" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassproxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"> <security mode="Message"> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements> <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" /> </claimTypeRequirements> <issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding"> <identity> <certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </issuer> </message> </security> </binding> </wsFederationHttpBinding> </bindings> <behaviors> <!-- Credentials configuration --> <endpointBehaviors> <behavior name="ServiceBehavior"> <clientCredentials> <clientCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" /> <serviceCertificate> <defaultCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/> <authentication certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <client> <endpoint address="http://localhost:13422/MembershipService" binding="wsFederationHttpBinding" bindingConfiguration="HTTPEndpoint" contract="MembershipService.IAccountMembershipService" name="HTTPEndpoint" behaviorConfiguration="ServiceBehavior"> <identity> <dns value="localhost"/> </identity> </endpoint> </client>
服务方面:
<system.serviceModel> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"> <serviceActivations> <add relativeAddress="IAccountMembershipService.svc" service="AccountMembershipService" factory="System.ServiceModel.Activation.WebServiceHostFactory" /> </serviceActivations> </serviceHostingEnvironment> <bindings> <wsHttpBinding> <binding name="federationBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" openTimeout="00:10:00"> <security mode="Message"> <message negotiateServiceCredential="true" /> </security> </binding> </wsHttpBinding> <wsFederationHttpBinding> <binding name="federationBinding" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassproxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"> <security mode="Message"> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements> <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" /> </claimTypeRequirements> <issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding"> <identity> <certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </issuer> </message> </security> </binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="serviceBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceCredentials> <serviceCertificate findValue="CN=STSTestCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectdistinguishedname"/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <extensions> <behaviorExtensions> <!-- This behavior extension will enable the service host to be Claims aware --> <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement,Microsoft.IdentityModel,Version=0.6.1.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35"/> </behaviorExtensions> </extensions> <services> <service behaviorConfiguration="serviceBehavior" name="STS.IP.Models.AccountMembershipService"> <endpoint binding="wsFederationHttpBinding" bindingConfiguration="federationBinding" name="HTTPEndpoint" contract="STS.IP.Infrastructure.IAccountMembershipService" > <identity> <dns value="localhost"/> </identity> </endpoint> <!-- <endpoint binding="wsHttpBinding" bindingConfiguration="" name="HTTPEndpoint" contract="aurora.WCFIsAlive.IIsAlive" />--> </service> </services>
解决方法
我不知道这是否有任何帮助,但它可能有点相关…你可以重复使用已发布的令牌,这是我之前做过的事情.我的场景是说ASP.NET站点或WCF服务是WIF安全的,但是ASP.NET站点或WCF服务需要调用另一个需要SAML令牌/ WIF的服务,依此类推如果你可以重用令牌将WIF设置为使用bootstraping.只要第二个Web服务信任相同的STS.
http://msdn.microsoft.com/en-us/library/ee517256.aspx#_bootstrap
配置设置如下:
<microsoft.IdentityModel><service><securityTokenHandlers>:
这个值:
<securityTokenHandlerConfiguration saveBootstrapTokens="true" />
原文地址:https://www.jb51.cc/csharp/99534.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
