在.net Web API中,如何配置Thinktechture Saml2SecurityTokenHandler以使用X509证书来处理加密的SAML2安全令牌(在验证之前对其进行解密).
通过将RP配置为使用证书进行加密,Identity Server会对令牌进行加密.
以下是从Thinktechture示例中获取的工作配置(不处理加密令牌):
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,issuerName: Constants.IdSrv.IssuerUri,audienceUri: Constants.Realm,certificateValidator: X509CertificateValidator.None,options: Authenticationoptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
#endregion
解决方法
要使用Web API启用加密令牌,我发现这有用:
http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx
接下来,您将看到使用LocalMachine存储中的X509证书在SecurityTokenHandlerCollection的Configuration属性上设置ServicetokenResolver属性的代码. Configuration属性是SecurityTokenHandlerConfiguration,它是来自ThinkTecture.IdentityModel源的AuthenticationConfigurationExtensionsCore.cs中AddSaml2扩展方法的重载参数之一.以下是我最终的结果.
var registry = new ConfigurationBasedissuerNameRegistry(); registry.AddTrustedissuer(Constants.IdSrv.SigningCertThumbprint,Constants.IdSrv.IssuerUri); var handlerConfig = new SecurityTokenHandlerConfiguration(); handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm)); handlerConfig.IssuerNameRegistry = registry; handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting(); X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates; X509Certificate2Collection matchingCertificates = certificates.Find( X509FindType.FindBySubjectdistinguishedname,"CN=RPTokenCertificate",false); X509Certificate2 certificate = certificates[0]; List<SecurityToken> servicetokens = new List<SecurityToken>(); servicetokens.Add(new X509SecurityToken(certificate)); SecurityTokenResolver serviceResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( servicetokens.AsReadOnly(),false); handlerConfig.ServicetokenResolver = serviceResolver; authentication.AddSaml2(handlerConfig,Authenticationoptions.ForAuthorizationHeader(SamlScheme),AuthenticationScheme.SchemeOnly(SamlScheme));
希望能帮助到你.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
