如何配置WCF以使用Azure ACS的URN格式的自定义Realm?

时间:2011-04-08 17:01:18

标签: wcf azure wif federated-identity acs

如何使用ACS对我的内部托管的WCF服务进行WCF客户端身份验证?问题围绕设置自定义Realm(我无法弄清楚如何设置)。

我的ACS配置类似于the ACS Samples,但“领域”的定义如下所示。

摘自Azure ACS配置页

realm definition

客户端代码 

      EndpointAddress serviceEndpointAddress = new EndpointAddress( new Uri( "http://localhost:7000/Service/Default.aspx"),  
                                                                      EndpointIdentity.CreateDnsIdentity( GetServiceCertificateSubjectName() ),
                                                                      new AddressHeaderCollection() );

        ChannelFactory<IStringService> stringServiceFactory = new ChannelFactory<IStringService>(Bindings.CreateServiceBinding("https://agent7.accesscontrol.appfabriclabs.com/v2/wstrust/13/certificate"), serviceEndpointAddress );

        // Set the service credentials.
        stringServiceFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        stringServiceFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();

        // Set the client credentials.
        stringServiceFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();

服务器端代码 

 string acsCertificateEndpoint = String.Format( "https://{0}.{1}/v2/wstrust/13/certificate", AccessControlNamespace, AccessControlHostName );

        ServiceHost rpHost = new ServiceHost( typeof( StringService ) );

        rpHost.Credentials.ServiceCertificate.Certificate = GetServiceCertificateWithPrivateKey();

        rpHost.AddServiceEndpoint( typeof( IStringService ),
                                   Bindings.CreateServiceBinding( acsCertificateEndpoint ),
                                   "http://localhost:7000/Service/Default.aspx"
                                   );

        //
        // This must be called after all WCF settings are set on the service host so the
        // Windows Identity Foundation token handlers can pick up the relevant settings.
        //
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

        // Accept ACS signing certificate as Issuer.
        serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry( GetAcsSigningCertificate().SubjectName.Name );

        // Add the SAML 2.0 token handler.
        serviceConfiguration.SecurityTokenHandlers.AddOrReplace( new Saml2SecurityTokenHandler() );

        // Add the address of this service to the allowed audiences.
        serviceConfiguration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add( new Uri( "urn:federation:customer:222:agent:11") );

        FederatedServiceCredentials.ConfigureServiceHost( rpHost, serviceConfiguration );

        return rpHost;

...其中urn:federation:customer:222:agent:11是依赖方ID

... http://localhost:7000/Service/Default.aspx是我希望上述WCF / WIF客户端在进行ACS身份验证后绑定到的位置。

问题

如何编辑上面的代码,以便客户端和服务器都可以针对某个端口(localhost:700)以及urn领域进行操作:federation:customer:222:agent:11

我认为我的服务器代码是正确的;但是如何在客户端设置AudienceRestriction

3 个答案:

答案 0 :(得分:4)

您的服务器端代码看起来不错,但Sixto对标准渠道工厂是正确的。幸运的是,您可以使用WSTrustChannelFactory自行从ACS请求安全令牌。在您的示例的上下文中,您的代码将如下所示:

//
// Get the token from ACS
//
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
    Bindings.CreateAcsCertificateBinding(),
    new EndpointAddress( acsCertificateEndpoint ) );
trustChannelFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();

RequestSecurityToken rst = new RequestSecurityToken()
{
    RequestType = RequestTypes.Issue,
    AppliesTo = new EndpointAddress( new Uri( "urn:federation:customer:222:agent:11" ) ),
    KeyType = KeyTypes.Symmetric
};

WSTrustChannel wsTrustChannel = (WSTrustChannel)trustChannelFactory.CreateChannel();
SecurityToken token = wsTrustChannel.Issue( rst );

//
// Call StringService, authenticating with the retrieved token
//
WS2007FederationHttpBinding binding = new WS2007FederationHttpBinding( WSFederationHttpSecurityMode.Message );
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.NegotiateServiceCredential = false;

ChannelFactory<IStringService> factory = new ChannelFactory<IStringService>(
    binding,
    new EndpointAddress(
            new Uri( ServiceAddress ),
            EndpointIdentity.CreateDnsIdentity(GetServiceCertificateSubjectName()) ) );
factory.ConfigureChannelFactory<IStringService>();
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();

IStringService channel = factory.CreateChannelWithIssuedToken<IStringService>( token );
string reversedString = channel.Reverse( "string to reverse" );

答案 1 :(得分:1)

有些答案可能迟到总比没有好。我一直无法找到任何关于以这种方式使用WCF的官方文档,但是在阅读WS-Trust论文和MSDN配置文档时,我提出了以下解决方案似乎有效。

来自configuration/system.serviceModel/bindings/ws2007FederationHttpbinding/binding/security/message的服务使用客户端配置。它会覆盖令牌请求消息的AppliesTo元素。

<tokenRequestParameters>
  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
      <Address>urn:x-Organization:Testing</Address>
    </EndpointReference>
  </wsp:AppliesTo>
</tokenRequestParameters>

在服务配置中添加相同的代码段将使服务引用实用程序将其包含在服务客户端的trust:SecondaryParameters元素中。必须将其移动到父tokenRequestParameters元素才能正常工作。

答案 2 :(得分:0)

实际上没有试过the approach referenced in this MSDN article但是从阅读起来听起来就像标准频道工厂没有合适的钩子来做你想要的。 WSTrustChannelFactory专为WIF&amp; SAML,但我不熟悉ACS以确定它是否适用。这个article in this six-part series也可能值得仔细阅读。

相关问题
最新问题