Thinktecture-无法处理Web API中的加密SAML安全令牌
本文关键字:加密 SAML 安全 令牌 API 处理 Web Thinktecture- | 更新日期: 2023-09-27 18:27:38
在.net Web API中,如何配置Thinktecture Saml2SecurityTokenHandler以使用X509证书来处理加密的SAML2安全令牌(在验证之前对其进行解密)。
Identity Server通过将RP配置为使用证书进行加密,对令牌进行了加密。
以下是取自Thinktecture示例的工作配置(不处理加密令牌):
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,
issuerName: Constants.IdSrv.IssuerUri,
audienceUri: Constants.Realm,
certificateValidator: X509CertificateValidator.None,
options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),
scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
#endregion
为了使用Web API启用加密令牌,我发现这很有帮助:http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx
最后,您将看到使用LocalMachine存储中的X509证书在SecurityTokenHandlerCollection的Configuration属性上设置ServiceTokenResolver属性的代码。Configuration属性是SecurityTokenHandlerConfiguration,它是ThinkTecture.IdentityModel源中AuthenticationConfigurationExtensionCore.cs中AddSaml2扩展方法重载的参数之一。以下是我最终得到的结果。
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint, Constants.IdSrv.IssuerUri);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting();
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=RPTokenCertificate", false);
X509Certificate2 certificate = certificates[0];
List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
serviceTokens.AsReadOnly(), false);
handlerConfig.ServiceTokenResolver = serviceResolver;
authentication.AddSaml2(handlerConfig,
AuthenticationOptions.ForAuthorizationHeader(SamlScheme),
AuthenticationScheme.SchemeOnly(SamlScheme));
希望能有所帮助。
从某人那里得到了这个答案:
public ClaimsIdentity DecryptToken(string token)
{
XmlReader rdr = XmlReader.Create(new StringReader(token));
SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("urn:yourRP"));
config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
config.RevocationMode = X509RevocationMode.NoCheck;
ConfigurationBasedIssuerNameRegistry inr = new ConfigurationBasedIssuerNameRegistry();
X509Certificate2 cert = new X509Certificate2(pathToSigningCert);
inr.AddTrustedIssuer(cert.Thumbprint, "STS Name");
config.IssuerNameRegistry = inr;
config.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
SecurityTokenHandlerCollection handlers = System.IdentityModel.Tokens.SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
if (handlers.CanReadToken(rdr))
{
var tmpToken = handlers.ReadToken(rdr);
var claimsIds = handlers.ValidateToken(tmpToken);
var id = claimsIds.FirstOrDefault();
}
}
不确定这是否有帮助。
您使用了什么作为发行人名称?您在IIS中设置的网站的名称?还是您在IdentityServer管理部分的"常规配置"页面的"站点ID"字段中输入的值?