从adfs服务器获取安全令牌时出错
本文关键字:令牌 出错 安全 获取 adfs 服务器 | 更新日期: 2023-09-27 18:19:31
要根据ADFS进行身份验证并检查声明,我希望从ADFS服务器获取安全令牌。然而,我使用的示例代码在请求令牌时总是会产生错误。示例代码如下:
private static SecurityToken RequestSamlToken()
{
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
new EndpointAddress(adfsEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = username;
factory.Credentials.UserName.Password = password;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference(realm)
};
return factory.CreateChannel().Issue(rst);
}
我得到以下错误:
System.ServiceModel.dll中发生类型为"System.ServiceModel.FFaultException"的未处理异常其他信息:ID3082:请求作用域无效或不受支持。
ADFS服务器中是否缺少任何不允许提供令牌的配置?另一个使用IdpInitialized Logon的代码片段用于生成SAML令牌。ADFS属性如下-
AcceptableIdentifiers : {}
AddProxyAuthorizationRules : exists([Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value
== "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit", Value =
"true");
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^AD AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http
://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrust
ManagerSid({0})", param=c.Value );
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid",
Issuer =~ "^SELF AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http
://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrust
Provisioned({0})", param=c.Value );
ArtifactDbConnection : Data Source=np:''.'pipe'microsoft##wid'tsql'query;Initial
Catalog=AdfsArtifactStore;Integrated Security=True
AuthenticationContextOrder : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,
urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer : CN=6b987b00-35ce-44d9-97c8-561b6f1ac3dd,CN=ADFS,CN=Microsoft,CN=Program
Data,DC=sciemetricdev,DC=com
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson :
DisplayName : ADFS
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName : *************.com
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : http://*******.com/adfs/services/trust
InstalledLanguage : en-US
LogLevel : {Errors, Information, Verbose, Warnings}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo :
PreventTokenReplays : False
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 10080
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 1/1/0001 12:00:00 AM
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
您似乎没有在ADFS中为传递到rts.AppliesTo属性(代码中的realm变量)的URL创建依赖方
您从ADFS接收的令牌不是通用的,它们只适用于访问您在请求的该属性中传递的特定服务器。即使对于相同的用户身份,如果您需要访问另一台服务器,也需要从ADFS获取另一个令牌。
此外,您将无法检查请求令牌的应用程序中的声明。您需要将令牌传递给服务器,并让服务器向您显示声明。
以下是这样一个服务器应用程序的示例:http://blogs.technet.com/b/tangent_thoughts/archive/2015/02/20/install-and-configure-a-simple-net-4-5-sample-federated-application-samapp.aspx