使用ADFS2作爲IP保護使用WIF的WCF後端服務

我遇到了使用ADFS2來保護從被動聯合網站調用的後端WCF服務的問題。我有網站上的被動聯邦工作，但後端服務給我的問題。使用ADFS2作爲IP保護使用WIF的WCF後端服務

拼圖的片斷。

Silverlight從被動聯合網站提供服務的客戶端。
Silverlight調用託管在被動聯合網站上的WCF服務（App Service）。
我在配置中將SaveBootstrapToken設置爲true。
從App Service中，我想使用帶有ActAs場景的BootstrapToken調用後端WCF服務。
聯合網站和後端WCF服務在ADFS2中設置爲獨立的RP，令牌加密處於打開狀態。兩者都允許委派。

後端服務配置：

我已經WIF納入使用行爲擴展管道。

<ws2007FederationHttpBinding> 
    <binding name="WS2007FederationHttpBinding_IQuoteService"> 
    <security mode="TransportWithMessageCredential"> 
     <message establishSecurityContext="false"> 
     <issuer address="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256"> 
     </issuer> 
     <issuerMetadata address="https://myADFSserver/adfs/services/trust/mex"> 
     </issuerMetadata> 
     </message> 
    </security> 
    </binding> 
</ws2007FederationHttpBinding> 


<behaviors> 
    <serviceBehaviors> 
    <behavior name=""> 
     <federatedServiceHostConfiguration name="Service.QuoteService" /> 
     <serviceMetadata httpGetEnabled="true" /> 
     <serviceDebug includeExceptionDetailInFaults="false" /> 
     <serviceCredentials> 
     <serviceCertificate findValue="000000000000000000000000000000" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" /> 
     </serviceCredentials> 
    </behavior> 
    </serviceBehaviors> 
</behaviors> 

<services> 
    <service name="Service.QuoteService"> 
    <endpoint address="" binding="ws2007FederationHttpBinding" contract="Service.IQuoteService" bindingConfiguration="WS2007FederationHttpBinding_IQuoteService" /> 
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 
    </service> 
</services>

客戶端配置

當添加使用添加服務引用工具的服務，在客戶端上的下列配置被創建：

<customBinding> 
    <binding name="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256"> 
    <security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenOverTransport" 
     requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true" 
     keyEntropyMode="CombinedEntropy" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"> 
     <issuedTokenParameters keySize="256" keyType="SymmetricKey" tokenType=""> 
     <additionalRequestParameters> 
      <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
      <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType> 
      <trust:KeySize>256</trust:KeySize> 
      <trust:KeyWrapAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm> 
      <trust:EncryptWith>http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith> 
      <trust:SignatureAlgorithm>http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignatureAlgorithm> 
      <trust:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm> 
      <trust:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm> 
      </trust:SecondaryParameters> 
     </additionalRequestParameters> 
     </issuedTokenParameters> 
     <localClientSettings cacheCookies="true" detectReplays="false" 
     replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" 
     replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" 
     sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" 
     timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /> 
     <localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00" 
     maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" 
     negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" 
     sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" 
     reconnectTransportOnFailure="true" maxPendingSessions="128" 
     maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> 
     <secureConversationBootstrap /> 
    </security> 
    <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" 
     messageVersion="Default" writeEncoding="utf-8"> 
     <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" 
     maxBytesPerRead="4096" maxNameTableCharCount="16384" /> 
    </textMessageEncoding> 
    <httpsTransport manualAddressing="false" maxBufferPoolSize="524288" 
     maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" 
     bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard" 
     keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" 
     realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" 
     useDefaultWebProxy="true" requireClientCertificate="false" /> 
    </binding> 
</customBinding> 


<ws2007FederationHttpBinding> 
    <binding name="WS2007FederationHttpBinding_IQuoteService" closeTimeout="00:01:00" 
    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" 
    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" 
    maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" 
    textEncoding="utf-8" useDefaultWebProxy="true"> 
    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" 
     maxBytesPerRead="4096" maxNameTableCharCount="16384" /> 
    <reliableSession ordered="true" inactivityTimeout="00:10:00" 
     enabled="false" /> 
    <security mode="Message"> 
     <message algorithmSuite="Default" issuedKeyType="SymmetricKey" 
     negotiateServiceCredential="true"> 
     <issuer address="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256" 
      binding="customBinding" bindingConfiguration="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256" /> 
     <issuerMetadata address="https://myADFSserver/adfs/services/trust/mex" /> 
     <tokenRequestParameters> 
      <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
      <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType> 
      <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize> 
      <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" 
       xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
       <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" 
       Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" /> 
       <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" 
       Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" /> 
      </trust:Claims> 
      <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm> 
      <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith> 
      <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith> 
      <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm> 
      <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm> 
      </trust:SecondaryParameters> 
     </tokenRequestParameters> 
     </message> 
    </security> 
    </binding> 
</ws2007FederationHttpBinding> 


<client> 
    <endpoint address="http://myServiceHost/Service/QuoteService.svc" 
    binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IQuoteService" 
    contract="QuoteService.IQuoteService" name="WS2007FederationHttpBinding_IQuoteService"> 
    <identity> 
     <certificate encodedValue="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /> 
    </identity> 
    </endpoint> 
</client>

這裏的服務客戶端代碼：

List<Quote> quoteList = new List<Quote>(); 

ClaimsPrincipal myClaimsPrincipal = System.Web.HttpContext.Current.User as ClaimsPrincipal; 
SecurityToken bootstrapToken = myClaimsPrincipal.Identities[0].BootstrapToken; 
if (bootstrapToken == null) 
{ 
    throw new Exception("bootstrap tokein is null. Logout and try again."); 
} 

ChannelFactory<IQuoteServiceChannel> factory = new ChannelFactory<IQuoteServiceChannel>("WS2007FederationHttpBinding_IQuoteService"); 
factory.Credentials.SupportInteractive = false; 

factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "0000000000000000000000000000"); 
factory.ConfigureChannelFactory(); 

IQuoteServiceChannel channel; 

//Create the channel with the bootstrap token 
channel = factory.CreateChannelActingAs(bootstrapToken); 

try 
{ 
    quoteList = channel.GetQuotes(quoteUser); 
    channel.Close(); 
} 
catch (SecurityAccessDeniedException sadex) 
{ 
    channel.Abort(); 
    throw; 
} 
catch (CommunicationException exception) 
{ 
    channel.Abort(); 
    throw; 
} 
catch (TimeoutException timeoutEx) 
{ 
    channel.Abort(); 
    throw; 
} 
catch (Exception ex) 
{ 
    channel.Abort(); 
    throw; 
} 

return quoteList;

這是個例外，我得到：

System.ServiceModel.Security.SecurityNegotiationException was unhandled by user code 
    Message=SOAP security negotiation with 'https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256' for target 'https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256' failed. See inner exception for more details. 
    Source=mscorlib 
    StackTrace: 
    Server stack trace: 
     at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) 
     at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout) 
     at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) 
     at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.GetTokenCore(TimeSpan timeout) 
     at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) 
     at System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens) 
     at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState) 
     at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState) 
     at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState) 
     at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) 
     at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) 
     at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) 
     at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) 
     at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) 
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) 
     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) 
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) 
     at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) 
     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) 
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) 
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) 
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) 
    Exception rethrown at [0]: 
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) 
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) 
     at OMG.Admin.DemoApp.Business.QuoteService.IQuoteService.GetQuotes(User quoteUser) 
     at OMG.Admin.DemoApp.Business.QuoteServiceClient.GetQuotes(User quoteUser) in C:\OMG_TFS01\OMG.Admin\OMG.Admin.DemoApp\OMG.Admin.DemoApp.Business\QuoteServiceClient.cs:line 131 
     at OMG.Admin.DemoApp.Business.QuoteBO.GetQuoteList() in C:\OMG_TFS01\OMG.Admin\OMG.Admin.DemoApp\OMG.Admin.DemoApp.Business\QuoteBO.cs:line 26 
     at OMG.Admin.DemoApp.Web.Services.DemoAppService.GetQuotes() in C:\OMG_TFS01\OMG.Admin\OMG.Admin.DemoApp\OMG.Admin.DemoApp.Web\Services\DemoAppService.svc.cs:line 27 
     at SyncInvokeGetQuotes(Object , Object[] , Object[]) 
     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) 
     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) 
    InnerException: System.InvalidOperationException 
     Message=The address of the security token issuer is not specified. An explicit issuer address must be specified in the binding for target 'https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256' or the local issuer address must be configured in the credentials. 
     Source=mscorlib 
     StackTrace: 
     Server stack trace: 
      at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) 
      at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, Boolean disableInfoCard) 
      at Microsoft.IdentityModel.Protocols.WSTrust.FederatedClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) 
      at System.ServiceModel.Security.SecurityProtocol.AddSupportingTokenProviders(SupportingTokenParameters supportingTokenParameters, Boolean isOptional, IList`1 providerSpecList) 
      at System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout) 
      at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) 
      at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) 
      at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) 
      at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) 
      at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) 
      at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) 
     Exception rethrown at [0]: 
      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) 
      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) 
      at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout) 
      at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) 
     InnerException:

我敢肯定，我錯過了在配置和/或代碼有人可以幫助我的東西？

來源

2011-07-06 Eugene S.

我已經嘗試了客戶端上的不同配置更改，並認爲我的問題與_ws2007Federation_調用ADFS的方式有關。這幾乎就像我需要一個無安全綁定來與ADFS對話來聯合 –

我能夠將bootstrapToken轉換爲SamlXMl並在標記' urn：oasis：names：tc：SAML：1.0中查看此內容：cm：bearer'這是否意味着我不能使用引導令牌進行身份驗證？因爲它不是對稱密鑰而是承載密鑰？ –

有沒有想過這一個？ – NTDLS

我得到了這個場景的工作，這裏的任何感興趣的解決方案。

其次多米尼克拜爾的職位的想法/代碼：http://leastprivilege.com/2010/10/14/wif-adfs-2-and-wcfpart-5-service-client-more-flexibility-with-wstrustchannelfactory/

我改變了後端WCF服務配置到這一點：

<microsoft.identityModel> 
    <service> 
    <audienceUris> 
     <add value="https://localhost/Service/QuoteService.svc" /> 
     <add value="https://localhost/Service/" /> 
    </audienceUris> 
    <serviceCertificate> 
     <certificateReference x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /> 
    </serviceCertificate> 
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> 
     <trustedIssuers> 
     <add thumbprint="000000000000000000000000000000000000" name="http://myADFSserver/adfs/services/trust" /> 
     </trustedIssuers> 
    </issuerNameRegistry> 
    <certificateValidation certificateValidationMode="None" /> 
    </service> 
</microsoft.identityModel> 

<system.serviceModel> 
    <services> 
    <service name="Service.QuoteService"> 
     <endpoint address="" 
       binding="ws2007FederationHttpBinding" 
       contract="Service.IQuoteService" /> 
     <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 
    </service> 
    </services> 
    <bindings> 
    <ws2007FederationHttpBinding> 
     <binding> 
     <security mode="TransportWithMessageCredential"> 
      <message establishSecurityContext="false"> 
      <issuerMetadata address="https://myADFSserver/adfs/services/trust/mex" /> 
      </message> 
     </security> 
     </binding> 
    </ws2007FederationHttpBinding> 
    </bindings> 

    <behaviors> 
    <serviceBehaviors> 
     <behavior> 
     <serviceMetadata httpsGetEnabled="true" /> 
     <federatedServiceHostConfiguration /> 
     </behavior> 
    </serviceBehaviors> 
    </behaviors> 

    <extensions> 
    <behaviorExtensions> 
     <add name="federatedServiceHostConfiguration" 
      type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> 
    </behaviorExtensions> 
    </extensions> 
</system.serviceModel>

我不再在客戶端使用WCF的配置，它的全部以代碼完成。

這裏的客戶端代碼：

public QuoteServiceClient() 
{ 
    SecurityToken actAsToken = this.GetDelegatedTokenUsername(); 
    var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential); 
    binding.Security.Message.EstablishSecurityContext = false; 

    ChannelFactory<IQuoteServiceChannel> factory = 
        new ChannelFactory<IQuoteServiceChannel>(binding, new EndpointAddress(svcEndpoint)); 
    factory.ConfigureChannelFactory<IQuoteServiceChannel>(); 
    factory.Credentials.SupportInteractive = false; 

    this.channel = factory.CreateChannelWithIssuedToken<IQuoteServiceChannel>(actAsToken); 
} 

private SecurityToken GetDelegatedTokenUsername() 
{ 
    var binding = new UserNameWSTrustBinding(); 
    binding.SecurityMode = SecurityMode.TransportWithMessageCredential; 

    //UserNameMixed is this endpoint "/adfs/services/trust/13/usernamemixed" 
    WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(UserNameMixed)); 
    trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13; 

    trustChannelFactory.Credentials.SupportInteractive = false; 
    //Some User Account 
    //It's used to access the ADFS Server 
    //Act as is the actual Identity that Will be used. 
    //If you use one of windows bindings (ex. windowstransport), you wont need this. 
    //The AppPool identity will be used then. 
    trustChannelFactory.Credentials.UserName.UserName = @"domain\username"; 
    trustChannelFactory.Credentials.UserName.Password = "password"; 

    try 
    { 
     RequestSecurityToken rst = new RequestSecurityToken(); 
     rst.RequestType = WSTrust13Constants.RequestTypes.Issue; 
     rst.AppliesTo = new EndpointAddress(ServiceAppliesTo); 

     //This part will give you identity of logged in user 
     rst.ActAs = new SecurityTokenElement(this.GetBootStrapToken()); 

     var channel = trustChannelFactory.CreateChannel(); 
     RequestSecurityTokenResponse rstr = null; 
     SecurityToken delegatedToken = channel.Issue(rst, out rstr); 

     return delegatedToken; 
    } 
    catch (Exception ex) 
    { 
     throw new Exception(ex.Message, ex); 
    } 
    finally 
    { 
     try 
     { 
      if (trustChannelFactory.State == CommunicationState.Faulted) 
      { 
       trustChannelFactory.Abort(); 
      } 
      else 
      { 
       trustChannelFactory.Close(); 
      } 
     } 
     catch (Exception) 
     { } 
    } 
} 

private SecurityToken GetBootStrapToken() 
{ 
    ClaimsPrincipal myClaimsPrincipal = System.Web.HttpContext.Current.User as ClaimsPrincipal; 
    SecurityToken bootstrapToken = myClaimsPrincipal.Identities[0].BootstrapToken; 

    if (bootstrapToken == null) 
    { 
     throw new Exception("bootstrap tokein is null. Logout and try again."); 
    } 
    return bootstrapToken; 
}

這是所有良好和花花公子，但你不會對後端WCF服務正確主張。使用這篇偉大的文章，我能夠理清ADFS中的聲明內容：http://technet.microsoft.com/en-us/library/adfs2-identity-delegation-step-by-step-guide.aspx。滾動到CONTOSODC啓用身份授權和修復聲明發布規則。我還刪除了被動聯合網站的聲明加密。

完成此操作後，我在應用程序服務和後端WCF服務中擁有相同的聲明。

我希望這可以幫助與我在同一條船上的人。

來源

2011-07-15 01:26:07

謝謝你的跟進！我們正在開始實施，這是非常有用的。 –

我徘徊在這個線程再次尋找別的東西。我冒昧編輯您的帖子以更新LeastPrivilege.com的鏈接 –

使用ADFS2作爲IP保護使用WIF的WCF後端服務

回答

相關問題