编程语言
首页 > 编程语言> > c# – Thinktecture – 无法在Web API中处理加密的SAML安全令牌

c# – Thinktecture – 无法在Web API中处理加密的SAML安全令牌

作者:互联网

在.net Web API中,如何配置Thinktechture Saml2SecurityTokenHandler以使用X509证书来处理加密的SAML2安全令牌(在验证之前对其进行解密).

通过将RP配置为使用证书进行加密,Identity Server会对令牌进行加密.

以下是从Thinktechture示例中获取的工作配置(不处理加密令牌):

  #region IdentityServer SAML
  authentication.AddSaml2(
                issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,
                issuerName: Constants.IdSrv.IssuerUri,
                audienceUri: Constants.Realm,
                certificateValidator: X509CertificateValidator.None,
                options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),
                scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
  #endregion

解决方法:

要使用Web API启用加密令牌,我发现这有用:http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx

接下来,您将看到使用LocalMachine存储中的X509证书在SecurityTokenHandlerCollection的Configuration属性上设置ServiceTokenResolver属性的代码. Configuration属性是SecurityTokenHandlerConfiguration,它是来自ThinkTecture.IdentityModel源的AuthenticationConfigurationExtensionsCore.cs中AddSaml2扩展方法的重载参数之一.以下是我最终的结果.

var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint, Constants.IdSrv.IssuerUri);

var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting();

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
    X509FindType.FindBySubjectDistinguishedName,
    "CN=RPTokenCertificate", false);
X509Certificate2 certificate = certificates[0];

List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
    SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
        serviceTokens.AsReadOnly(), false);
handlerConfig.ServiceTokenResolver = serviceResolver;

authentication.AddSaml2(handlerConfig, 
    AuthenticationOptions.ForAuthorizationHeader(SamlScheme), 
    AuthenticationScheme.SchemeOnly(SamlScheme));

希望能帮助到你.

标签:c,security,asp-net-web-api,saml-2-0,thinktecture-ident-model
来源: https://codeday.me/bug/20190709/1408599.html