我想了解我需要开发一个框架使用WCF,索赔和ADFS 3.0。内部用户将根据Active Directory进行身份验证,外部用户根据SQL Server表进行身份验证,并将授权存储在实施组和权限的数据库表中。我使用WCF而不是Web Api或OWIN创建API。WCF,索赔,ADFS 3.0
我没有兴趣在使用Identity Server或第三方产品,我只是想知道我是如何创建自定义安全令牌服务从我的会员表读取和设置通过我的组和权限表索赔。
我可以找到任何这没有任何信息。在Visual Studio 2015中没有标识和访问控制,似乎没有使用WCF的东西,只使用Web Api,OWIN和MVC?
这篇文章似乎有一个良好的开端你,http://southworks.com/blog/2007/03/11/the-holly-grail-of-enterprise-soa-security/
,这里是我在我的MVC应用程序使用的代码(不WCF,但许多需要做的事情是一样的)
var claims = new List<Claim>()
{
new Claim(ClaimTypes.Name, result.UserName),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", result.Email),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider",
result.Email),
new Claim("UserId", result.Id.ToString(CultureInfo.InvariantCulture)),
new Claim("UserName", result.UserName),
new Claim("FirstName", result.FirstName)
};
//load claims from database here
claims.AddRange(result.Roles.Select(role => new Claim(ClaimTypes.Role, role.Name)));
var id = new ClaimsIdentity(claims, "Forms");
var cp = new ClaimsPrincipal(id);
var token = new SessionSecurityToken(cp)
{
IsPersistent = false
};
Session["authToken"] = token;
var sam = FederatedAuthentication.SessionAuthenticationModule;
sam.WriteSessionTokenToCookie(token);
当我正在开发的权利要求知道WCF应用程序像你这样的,我通过这个link,这让我明白它是如何工作跑了。唯一与您的需求不太相似的是它不是ADFS 3.0。
我不认为你可以同时使用内部用户的ADFS和外部的“like membership”。我所知道的是,您可以信任其他公司的ADFS作为其他身份提供者。
如果你指的是如何在这里建立声明感知WCF是一些可用链接。
尽管如此,link仍然活跃,支持.NET 4.5 & 4.6和WIF已经是框架的一部分,不像以前,你需要安装WIF。
下面是我的WCF服务配置的片段:
绑定
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" negotiateServiceCredential="false">
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex"/>
<issuer address="https://<asfs aserver>:9643/adfs/services/trust/13/usernamemixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
身份配置
<system.identityModel>
<identityConfiguration name="serviceidentity">
<audienceUris mode="Never">
<add value="https://localhost/FedSecurity/"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://<asfs aserver>:9643/adfs/services/trust">
<keys >
<add thumbprint="8D6BF173ERERERFDFE9CE9CD0FB57FB57A5D68403EA88" name="http://<asfs aserver>:9643/adfs/services/trust" />
</keys>
<validIssuers>
<add name="http://<asfs aserver>:9643/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
片段我的WCF客户端的配置
<system.serviceModel>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuer address="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed"
binding="ws2007HttpBinding" bindingConfiguration="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed" />
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex" />
<tokenRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/FedSecurity/CloudService.svc"
binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding"
contract="CloudBeta.ICloudSevice" name="ws2007FederationHttpBinding" />
</client>
</system.serviceModel>
附加信息:
添加索赔我希望这个信息能帮助你!
建立自定义STS不是一个好主意。如果你弄错了,很难让一切都正确,很多事情都会崩溃。改为配置维护的产品。 – flup
维护产品,您可以建议一个。我写了大量.net会员供应商,这绝不是一个好主意,我没有选择使用第三方项目。如果有人能够指引我朝着正确的方向而不是仅仅说它不是一个好主意,我就可以迎接挑战。你能给我比这更多吗? – Fab
特定的身份服务器,为什么这是一个坏主意? – flup