向 ADFS 进行身份验证时出现“验证邮件安全性时出错”异常
本文关键字:安全性 出错 异常 验证 ADFS 身份验证 | 更新日期: 2023-09-27 18:34:41
正如我在另一个问题中所描述的,我构建了一个 Web 服务,该服务将采用用户名/密码,并根据这些凭据对 ADFS2 中的用户(移动应用程序(进行身份验证。我的 Web 服务在 ADFS 上配置为 RP。ADFS 发行 SAML 2.0 令牌。
这是网络方法的代码:
public class MobileAuthService : IMobileAuthService
{
private const string adfsBaseAddress = @"https://<my_adfs_hostname>/adfs/services/";
private const string endpointSuffix = @"trust/13/issuedtokenmixedsymmetricbasic256";
public string AuthenticateUser(string username, string password)
{
var binding = new WS2007HttpBinding(SecurityMode.Message);
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(adfsBaseAddress + endpointSuffix))
{
TrustVersion = TrustVersion.WSTrust13
};
trustChannelFactory.Credentials.UserName.UserName = username;
trustChannelFactory.Credentials.UserName.Password = password;
var tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Symmetric);
var token = tokenClient.Issue(rst);
// do some token-related stuff
return token.Id;
}
}
当我尝试运行它时(来自浏览器的 GET 调用,因为它为此端点配置了 Web http 绑定(,我得到以下异常:
System.ServiceModel.Security.MessageSecurityException - "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
内部例外:
System.ServiceModel.FaultException - "An error occurred when verifying security for the message."
我想这与响应签名或证书有关,但我不知道如何克服这个问题,因为我对 WIF 很陌生。
我已经设法(部分(解决了这个问题。我在代码中更改了一些内容,但问题似乎与以下方面有关:
- STS 终结点 - 应
/trust/13/usernamemixed用于此类身份验证 - RST 密钥类型 - 当我设置它
Bearer它开始返回 SAML 令牌
时
这是我的最新版本:
public class MobileAuthService : IMobileAuthService
{
private const string stsEndpointAddress = @"https://<my_adfs_hostname>/adfs/services/trust/13/usernamemixed";
private const string relyingPartyAddress =
"https://<my_service_addr>/Auth.svc";
public string AuthenticateUser(string username, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential)
{
ClientCredentialType = HttpClientCredentialType.None
};
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(stsEndpointAddress))
{
TrustVersion = TrustVersion.WSTrust13
};
var channelCredentials = trustChannelFactory.Credentials;
channelCredentials.UserName.UserName = username;
channelCredentials.UserName.Password = password;
channelCredentials.SupportInteractive = false;
var tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Bearer)
{
AppliesTo = new EndpointReference(relyingPartyAddress),
ReplyTo = relyingPartyAddress,
TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
};
// to some token-related stuff (like transformations etc...)
}
}
我希望这将帮助那些最终遇到类似问题的人。