我执行需要Ø符合服务http://www.projectliberty.org/liberty/content/download/4712/32213/file/Liberty-Basic-SOAP-Binding-1.0_Final.pdf使用WCF和WIF 4.5 。
规范要求STR改造必须使用。 最终消息可能看起来像:
<Assertion ID="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" IssueInstant="2015-05-08T09:07:09.311Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
</Assertion>
<o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" u:Id="str1" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_f23ef5f3-9efb-40f0-bf38-758d3a9589db</o:KeyIdentifier>
</o:SecurityTokenReference>
如果我使用以下绑定:
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new CustomIssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
messageSecurity.ProtectTokens = true;
initiator.UseStrTransform = true;
initiator.KeyType = SecurityKeyType.AsymmetricKey;
initiator.RequireDerivedKeys = false;
所生成的消息是:
<Assertion ID="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" IssueInstant="2015-05-08T09:07:09.311Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
</Assertion>
<o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" u:Id="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_f23ef5f3-9efb-40f0-bf38-758d3a9589db</o:KeyIdentifier>
</o:SecurityTokenReference>
什么是不正确的是,SecurityTokenReference元素具有相同的ID,因为这其中会产生错误断言元素:
<Message>The '_f23ef5f3-9efb-40f0-bf38-758d3a9589db' id occurred twice in the message that is supplied for verification.</Message>
<StackTrace>
at System.ServiceModel.Security.ReceiveSecurityHeaderElementManager.VerifyIdUniquenessInSecurityHeader(String id)
看着WCF的源代码,告诉我,WCF总是创建ID为SecurityTokenReference设置为引用的元素。 为了克服这个问题,我创建了一个自定义的Paratemers类:
public class CustomIssuedSecurityTokenParameters : IssuedSecurityTokenParameters
{...
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
var clause = base.CreateKeyIdentifierClause(token, referenceStyle);
clause.Id = "";
return clause;
}
}
如果我使用自定义的类,另一个错误会弹出:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Saml2AssertionKeyIdentifierClause( Id = '_str1' )
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.IdentityModel.Tokens.Saml2SecurityToken, Parameters=Kombit.Samples.Common.Binding.CustomIssuedSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
TokenType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
KeyType: AsymmetricKey
KeySize: 0
IssuerAddress: null
IssuerMetadataAddress: null
DefaultMessgeSecurityVersion: null
UseStrTransform: True
IssuerBinding: null
ClaimTypeRequirements: none)
)
任何人都可以请告诉我一个办法让UseStrTransform设置工作? 我缺少的是在这里吗?
