All geek questions in one place

How do I specify requirements such as requirements on the service side so that they are met upon customer request?

I have:

  • A passive STS login application, which is also an identity provider.
  • Active STS WCF service that can accept and process ActAs tokens
  • Party relying on website
  • The WCF service support called by the website.

All of this is compiled using the Windows Identity Foundation and custom STS code. Active Directory (ADFS) is not involved.

Now I have a job:

  • The user is trying to visit the RP website.
  • The user is redirected to a passive STS.
  • The user logs in, receives the issued token, is redirected back to the RP website.
  • The RP website calls the WCF RPF service call and passes the ActAs token, so delegation occurs.
  • Active STS ActAs , ActAs, Actor.
  • WCF RP , , , .

, WCF RP STS.

, RST, STS, , , , , .

, , RP- -, , WCF RP.

, - , . ws2007FederationHttpBinding, ActAs, WIF Identity Training Kit customBinding, , - . WCF RP, :

<system.serviceModel>
  <bindings>
    <customBinding>
      <binding name="CustomBinding_FederatedService">
        <security
          authenticationMode="IssuedTokenForCertificate"
          messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
          <issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
            <issuer address="http://localhost:38901/ActiveSts.svc/IWSTrust13" />
            <issuerMetadata address="http://localhost:38901/ActiveSts.svc/mex" />
          </issuedTokenParameters>
        </security>
        <textMessageEncoding>
          <readerQuotas maxArrayLength="32767" />
        </textMessageEncoding>
        <httpTransport />
      </binding>
    </customBinding>
  </bindings>
</system.serviceModel>

-, requestTypeRequirements issuTokenParameters, Active STS RST..., -, .

, WCF RP , , -?

, , , , . - WCF , , ( ), . , .

+3
1

, ...

  • . - , WS-Policy/Metadata Exchange .
  • STS. Microsoft.IdentityModel CreateChannelActingAs(token) ActAs ( ) WSTrustChannelFactory.
  • , , .

, , , - , , Microsoft.IdentityModel , . , , .

, WSTrustChannelFactory WSTrustChannel - MSDN. .

.., :

// You need the channel factory so you can get info about the endpoint.
var factory = new ChannelFactory<IService>();

// Get the issuedTokenParameters information from the binding.
// You see this in the XML config but it painful to access.
var tokenParameters = factory.Endpoint.Binding
    .CreateBindingElements()
    .OfType<SecurityBindingElement>().First()
    .EndpointSupportingTokenParameters
    .Endorsing.OfType<IssuedSecurityTokenParameters>().First();

// Prepare the RST.
var trustChannelFactory = new WSTrustChannelFactory(tokenParameters.IssuerBinding, tokenParameters.IssuerAddress);
var trustChannel = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue);
rst.AppliesTo = factory.Endpoint.Address;

// If you're doing delegation, set the ActAs value.
var principal = Thread.CurrentPrincipal as IClaimsPrincipal;
var bootstrapToken = principal.Identities[0].BootstrapToken;
rst.ActAs = new SecurityTokenElement(bootstrapToken);

// Here where you can look up claims requirements dynamically.
rst.Claims.Add(new RequestClaim("http://dynamically-added-claim"));

// Get the token and attach it to the channel before making a request.
RequestSecurityTokenResponse rstr = null;
var issuedToken = trustChannel.Issue(rst, out rstr);
var fccParameters = new FederatedClientCredentialsParameters();
fccParameters.IssuedSecurityToken = issuedToken;
var channel = factory.CreateChannel();
((IChannel)channel).GetProperty<ChannelParameterCollection>().Add(fccParameters);

// NOW you can make the request.
channel.DoWork();

, , .

, XML , . CreateChannelActingAs(token) Microsoft.IdentityModel .

+4

Source: https://habr.com/ru/post/1761793/

More articles:


All Articles