c# – Thinktecture – 无法在Web API中处理加密的SAML安全令牌
发布时间:2020-12-15 21:54:56 所属栏目:百科 来源:网络整理
导读:在.net Web API中,如何配置Thinktechture Saml2SecurityTokenHandler以使用X509证书来处理加密的SAML2安全令牌(在验证之前对其进行解密). 通过将RP配置为使用证书进行加密,Identity Server会对令牌进行加密. 以下是从Thinktechture示例中获取的工作配置(不处
|
在.net Web API中,如何配置Thinktechture Saml2SecurityTokenHandler以使用X509证书来处理加密的SAML2安全令牌(在验证之前对其进行解密).
通过将RP配置为使用证书进行加密,Identity Server会对令牌进行加密. 以下是从Thinktechture示例中获取的工作配置(不处理加密令牌): #region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,issuerName: Constants.IdSrv.IssuerUri,audienceUri: Constants.Realm,certificateValidator: X509CertificateValidator.None,options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
#endregion
解决方法
要使用Web API启用加密令牌,我发现这有用:
http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx
接下来,您将看到使用LocalMachine存储中的X509证书在SecurityTokenHandlerCollection的Configuration属性上设置ServiceTokenResolver属性的代码. Configuration属性是SecurityTokenHandlerConfiguration,它是来自ThinkTecture.IdentityModel源的AuthenticationConfigurationExtensionsCore.cs中AddSaml2扩展方法的重载参数之一.以下是我最终的结果. var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint,Constants.IdSrv.IssuerUri);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting();
X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
X509FindType.FindBySubjectDistinguishedName,"CN=RPTokenCertificate",false);
X509Certificate2 certificate = certificates[0];
List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
serviceTokens.AsReadOnly(),false);
handlerConfig.ServiceTokenResolver = serviceResolver;
authentication.AddSaml2(handlerConfig,AuthenticationOptions.ForAuthorizationHeader(SamlScheme),AuthenticationScheme.SchemeOnly(SamlScheme));
希望能帮助到你. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |