0
我正在嘗試編寫一個調用REST服務的Web應用程序。 REST服務需要用戶使用OAuth令牌。使用用戶的用戶名和密碼,我可以獲得OAuth STS能夠使用的SAML令牌(下面的第一個斷言)爲我發送有效的OAuth令牌。因爲我處於Web應用程序中,所以我更願意使用ActA SAML令牌,而不是提示已經通過域(SSO)驗證的用戶的用戶名和密碼。當我配置ADFS 2.0發佈ActAs令牌(下面的第二個斷言)時,它缺少斷言的AuthnStatement部分。 OAuth STS正在抱怨這一點。聯繫他們的支持,他們告訴我配置ADFS 2.0在斷言中包含AuthnStatement或許使用自定義規則。這兩者之間當前ADFS 2.0配置的唯一區別在於授權授權選項卡。代碼中的唯一區別是使用憑據(實際用戶與委派用戶)並在RST上設置ActAs屬性。ADFS ActA令牌缺失Authn語句
有沒有辦法配置ADFS 2.0來包含它?我不認爲自定義規則會對我有好處,因爲自定義規則只會創建更多的聲明,而Authn語句不是聲明。
代碼用於創建令牌:使用實際用戶的用戶名和密碼檢索
var rst = new RequestSecurityToken
{
RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue",
AppliesTo = new EndpointReference("https://rpserver.mydomain.com/sap/bc/sec/oauth2/token"),
KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer",
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
//commented for actual user and uncommented for ActAs
//the token is from the actual user
//ActAs = new SecurityTokenElement(token)
};
SAML令牌。
<Assertion ID="_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5" IssueInstant="2014-06-18T12:49:32.815Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
G4LDaRLEEgsKa1/kRwFo+X2BWv0z32Mi0QRym5GlteU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:54:32.815Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:49:32.794Z" NotOnOrAfter="2014-06-18T13:49:32.794Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>
USERIDGOESHERE</AttributeValue>
</Attribute>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2014-06-18T12:49:32.721Z">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
SAML令牌檢索使用用戶名和密碼的一般帳戶使用委派。
<Assertion ID="_23107d88-d82d-4fa8-b12a-a447aeb6d5f2" IssueInstant="2014-06-18T12:26:03.005Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_23107d88-d82d-4fa8-b12a-a447aeb6d5f2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
sKf+1gtkbA9Hbk3H82j9dXf7zlebd3EOcrqlMyygpoY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:31:03.005Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:26:02.872Z" NotOnOrAfter="2014-06-18T13:26:02.872Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor">
<AttributeValue>
<Actor><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="client_id" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>MLM_MAT_USER</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue a:type="tn:dateTime" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">2014-06-18T12:26:02.681Z</AttributeValue></Attribute></Actor></AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>