我正在尝试编写一个调用REST服务的Web应用程序。 REST服务需要为用户提供OAuth令牌。使用用户的用户名和密码,我能够获得一个SAML令牌(下面的第一个断言),OAuth STS可以使用它来向我发出有效的OAuth令牌。因为我在Web应用程序中,所以我更倾向于使用ActAs SAML令牌,而不是提示已经使用域(SSO)进行身份验证的用户的用户名和密码。当我配置ADFS 2.0以发出ActAs令牌(下面的第二个断言)时,它缺少断言的AuthnStatement部分。 OAuth STS正在抱怨这一点。联系他们的支持他们告诉我配置ADFS 2.0以包含可能带有自定义规则的断言中的AuthnStatement。这两者之间当前ADFS 2.0配置的唯一区别是“授权”选项卡。代码中唯一的区别是使用了其凭据(实际用户与委派用户)并在RST上设置了ActAs属性。
有没有办法配置ADFS 2.0来包含它?我不认为自定义规则会对我有任何好处,因为自定义规则只会创建更多声明,而AuthnStatement不是声明。
用于创建令牌的代码:
var rst = new RequestSecurityToken
{
RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue",
AppliesTo = new EndpointReference("https://rpserver.mydomain.com/sap/bc/sec/oauth2/token"),
KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer",
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
//commented for actual user and uncommented for ActAs
//the token is from the actual user
//ActAs = new SecurityTokenElement(token)
};
使用实际用户的用户名和密码检索SAML令牌。
<Assertion ID="_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5" IssueInstant="2014-06-18T12:49:32.815Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
G4LDaRLEEgsKa1/kRwFo+X2BWv0z32Mi0QRym5GlteU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:54:32.815Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:49:32.794Z" NotOnOrAfter="2014-06-18T13:49:32.794Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>
USERIDGOESHERE</AttributeValue>
</Attribute>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2014-06-18T12:49:32.721Z">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
使用委托使用通用帐户的用户名和密码检索SAML令牌。
<Assertion ID="_23107d88-d82d-4fa8-b12a-a447aeb6d5f2" IssueInstant="2014-06-18T12:26:03.005Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_23107d88-d82d-4fa8-b12a-a447aeb6d5f2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
sKf+1gtkbA9Hbk3H82j9dXf7zlebd3EOcrqlMyygpoY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:31:03.005Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:26:02.872Z" NotOnOrAfter="2014-06-18T13:26:02.872Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor">
<AttributeValue>
<Actor><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="client_id" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>MLM_MAT_USER</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue a:type="tn:dateTime" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">2014-06-18T12:26:02.681Z</AttributeValue></Attribute></Actor></AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
答案 0 :(得分:0)
我直接联系了Microsoft支持,这里是一个意译。 &#34;它无法完成,而且设计无法完成。&#34;