当我正在开发的权利要求知道WCF应用程序像你这样的,我通过这个link,这让我明白它是如何工作跑了。唯一与您的需求不太相似的是它不是ADFS 3.0。
我不认为你可以同时使用内部用户的ADFS和外部的“like membership”。我所知道的是,您可以信任其他公司的ADFS作为其他身份提供者。
如果你指的是如何在这里建立声明感知WCF是一些可用链接。
尽管如此,link仍然活跃,支持.NET 4.5 & 4.6和WIF已经是框架的一部分,不像以前,你需要安装WIF。
下面是我的WCF服务配置的片段:
绑定
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" negotiateServiceCredential="false">
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex"/>
<issuer address="https://<asfs aserver>:9643/adfs/services/trust/13/usernamemixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
身份配置
<system.identityModel>
<identityConfiguration name="serviceidentity">
<audienceUris mode="Never">
<add value="https://localhost/FedSecurity/"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://<asfs aserver>:9643/adfs/services/trust">
<keys >
<add thumbprint="8D6BF173ERERERFDFE9CE9CD0FB57FB57A5D68403EA88" name="http://<asfs aserver>:9643/adfs/services/trust" />
</keys>
<validIssuers>
<add name="http://<asfs aserver>:9643/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
片段我的WCF客户端的配置
<system.serviceModel>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuer address="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed"
binding="ws2007HttpBinding" bindingConfiguration="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed" />
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex" />
<tokenRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/FedSecurity/CloudService.svc"
binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding"
contract="CloudBeta.ICloudSevice" name="ws2007FederationHttpBinding" />
</client>
</system.serviceModel>
附加信息:
- 我使用ADFS 2.0与用户名的身份验证与 我们的活动目录
- 添加依赖方没有在这里,但需要讨论的添加凭据。
- 认证令牌的加密/解密还需要
- (AFDS的党)在ADFS
添加索赔我希望这个信息能帮助你!
建立自定义STS不是一个好主意。如果你弄错了,很难让一切都正确,很多事情都会崩溃。改为配置维护的产品。 – flup
维护产品,您可以建议一个。我写了大量.net会员供应商,这绝不是一个好主意,我没有选择使用第三方项目。如果有人能够指引我朝着正确的方向而不是仅仅说它不是一个好主意,我就可以迎接挑战。你能给我比这更多吗? – Fab
特定的身份服务器,为什么这是一个坏主意? – flup