7
我一直盯着這一整天都無濟於事,而且我沒有想法。 IP-STS處理登錄信息,然後將其傳遞給RP-STS,後者用聲明填充標記,然後登錄到網站上。這工作正常。我在IP-STS上有一些WCF功能,例如更改密碼/重置密碼並需要訪問它們。已經閱讀我應該能夠將已分配的令牌發送到WCF以確保用戶通過身份驗證。從我可以看到它發送令牌但不正確,也不是我想要的方式,因爲它似乎現在需要用戶名。使用從STS分配的令牌來調用WCF服務
理想情況下我希望它分配給用戶的令牌,而不必重新請求或重新創建任何東西,明確地不需要用戶名/密碼。
我目前收到的錯誤是: 從對方收到了一個不安全或錯誤安全的錯誤。查看故障代碼和細節的內部FaultException。
詳細信息: 該消息無法處理。這很可能是因爲操作'http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue'不正確,或者因爲消息包含無效或過期的安全上下文令牌,或者由於存在不匹配綁定之間。如果服務由於不活動而中止通道,則安全上下文令牌將無效。爲防止服務過早地中止空閒會話,會增加服務端點綁定的接收超時。
這是我的網頁配置中的相關位。
客戶端的web.config
<system.serviceModel>
<bindings>
<customBinding>
<binding name="UsernameBinding"> <security authenticationMode="UserNameForCertificate" requireSecurityContextCancellation ="false" requireSignatureConfirmation="false" messageProtectionOrder ="SignBeforeEncryptAndEncryptSignature" requireDerivedKeys="true">
</security>
<httpTransport/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding name="HTTPEndpoint" closeTimeout="00:10:00" openTimeout="00:10:00"
receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true">
<security mode="Message">
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
</claimTypeRequirements>
<issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding">
<identity>
<certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<!-- Credentials configuration -->
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<clientCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
<authentication certificateValidationMode="PeerOrChainTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://localhost:13422/MembershipService"
binding="wsFederationHttpBinding" bindingConfiguration="HTTPEndpoint"
contract="MembershipService.IAccountMembershipService" name="HTTPEndpoint" behaviorConfiguration="ServiceBehavior">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</client>
服務側:
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true">
<serviceActivations>
<add relativeAddress="IAccountMembershipService.svc" service="AccountMembershipService" factory="System.ServiceModel.Activation.WebServiceHostFactory" />
</serviceActivations>
</serviceHostingEnvironment>
<bindings>
<wsHttpBinding>
<binding name="federationBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" openTimeout="00:10:00">
<security mode="Message">
<message negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
<wsFederationHttpBinding>
<binding name="federationBinding" closeTimeout="00:10:00" openTimeout="00:10:00"
receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true">
<security mode="Message">
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false">
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
</claimTypeRequirements>
<issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding">
<identity>
<certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="CN=STSTestCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<!-- This behavior extension will enable the service host to be Claims aware -->
<add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</behaviorExtensions>
</extensions>
<services>
<service behaviorConfiguration="serviceBehavior" name="STS.IP.Models.AccountMembershipService">
<endpoint binding="wsFederationHttpBinding" bindingConfiguration="federationBinding" name="HTTPEndpoint" contract="STS.IP.Infrastructure.IAccountMembershipService" >
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<!-- <endpoint binding="wsHttpBinding" bindingConfiguration="" name="HTTPEndpoint" contract="Aurora.WCFIsAlive.IIsAlive" />-->
</service>
</services>
抱歉大量粘貼,但希望有人能夠發現我的錯誤! 我剛剛接近錯誤的方式嗎?
謝謝您的回覆!我也嘗試過與訪問RP-STS類似的東西,但我仍然遇到了非常類似的問題。任何指針?我真的堅持這一點。 – Henry 2011-03-16 00:20:15
對不起,我不是100%確定我明白。你對RP-STS有什麼問題? – 2011-03-16 03:37:02
思考你所說的我已經看到了我的方式的錯誤。 RP-STS還具有需要訪問的服務,並且由於它依賴於IP,因此任何請求都會立即返回到IP(這顯然只是返回HTML,我知道這一點)。該項目目前已被拆分爲一個域項目,所以我只需要創建一個新的Web服務項目,而不是依賴於RP,因此該令牌將是有效的。或者至少,從我能解決的問題來看。 *雖然這些都不能解釋爲什麼卡片空間一直在彈出!希望那不會再發生。 – Henry 2011-03-16 09:53:54