从ADFS STS切换到自定义STS时序列化安全令牌出错
问题描述:
我有一个通过http调用服务(名为MyService)的Web应用程序(名为MyWebClient)。 MyService接受ADFS发出的令牌,并且它工作正常。我想从ADFS切换到MyCustomSTS(使用WIF 4.5)。我期望MyWebClient的代码不会被改变,但我得到一个错误。从ADFS STS切换到自定义STS时序列化安全令牌出错
代码Ping通为了MyService如下
var token = GetSecurityToken();
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.Message, false);
var messageSecurity = serviceBinding.Security.Message;
messageSecurity.IssuedTokenType = TokenTypes.Saml11TokenProfile11;
messageSecurity.IssuerAddress = Constants.StsAddressX509;
messageSecurity.IssuedKeyType = SecurityKeyType.SymmetricKey;
messageSecurity.IssuerBinding = stsBinding;
var factory = new ChannelFactory<IMyService>(binding, new EndpointAddress("https://mylocalhost/MyService.svc"));
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
factory.Credentials.ServiceCertificate.Authentication.RevocationMode =
X509RevocationMode.NoCheck;
var service = factory.CreateChannelWithIssuedToken(token);
var result = service.Ping();
我有(什么样子),从STS有效令牌。
然而,它抛出在调用平为了MyService异常,如下所示:
There was an error serializing the security token. Please see the
inner exception for more details. Server stack trace: at
System.ServiceModel.Security.WSSecurityTokenSerializer.WriteTokenCore(XmlWriter
writer, SecurityToken token) at
System.ServiceModel.Security.SendSecurityHeader.OnWriteHeaderContents(XmlDictionaryWriter
writer, MessageVersion messageVersion) at
System.ServiceModel.Channels.MessageHeader.WriteHeader(XmlDictionaryWriter
writer, MessageVersion messageVersion) at
System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter
writer) at ...
各地的互联网搜索后,我建议修改代码位加
factory.Credentials.UseIdentityConfiguration = true;
它再次正常工作。
我在这里的问题是为什么它没有“UseIdentityConfiguration”就可以正常使用ADFS吗?无论如何,修复它在MyCustomSTS但改变客户端代码?
原因是我有很多像MyWebClient这样的客户端应用程序,所以更改他们的代码对我来说是个问题。
感谢您的所有帮助和答复。我真的很感激它。
答
从我发布它的那一天起,很长一段时间,AFAI可以看到,问题是因为ADFS使用WIF 3.5,而我的STS使用4.5。将UseIdentityConfiguration设置为true是解决它的唯一解决方案。
我已阅读过有关它的最好的参考文献之一是来自leastprivilege博客http://leastprivilege.com/2012/07/15/wcf-and-identity-in-net-4-5-overview/