如何驗證SAML2.0在可互操作的WCF服務中的聲明

Question

我現在已經抓了幾天眼睛，讓我的WCF服務驗證了一個簡單的SAML2聲明。我正在使用Axis2客戶端進行測試，但它也應該支持Java，C++等。

我只希望做令牌上的幾個驗證： 1.證書頒發者（從有效發行人名單） 2.證書日期 3.觀衆URL

所以我應該能夠做到自定義證書驗證。證書在服務器上是未知的，它是SAML斷言的一部分。 這是所使用的SAML斷言：

<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> 
<saml:Issuer>demo.com</saml:Issuer> 
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo> 
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485"> 
<ds:Transforms> 
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">  <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
    </ds:Transform> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>  <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo> 
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue> 
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName> 
<ds:X509Data><ds:X509SubjectName>emailAddress=info@demo.com,CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName> 
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> 
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID> 
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject> 
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z"> 
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions> 
</saml:Assertion> 

我試過的wsHttpBinding，wsFederationHttpBinding，ws2007FederationHttpBinding，甚至customBinding。有或沒有WIF？我不知道了。

我目前正在與此錯誤掙扎：

SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier 
(
IsReadOnly = False, 
Count = 2, 
Clause[0] = KeyNameIdentifierClause(KeyName = 'risdemo.delftdi.com'), 
Clause[1] = X509RawDataKeyIdentifierClause(RawData = MI....mQ=) 
) 
`. Ensure that the SecurityTokenResolver is populated with the required key. 

我的綁定：

<wsHttpBinding> 
    <binding name="_HTTP"> 
     <security mode="Message"> 
     <transport clientCredentialType="None" proxyCredentialType="None" /> 
     <message clientCredentialType="IssuedToken" negotiateServiceCredential="False" 
      establishSecurityContext="False"/> 
     </security> 
    </binding> 
</wsHttpBinding> 

ServiceCredentials：

<serviceCredentials> 
     <issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"> 
      <allowedAudienceUris> 
      <add allowedAudienceUri="http://blabla"/> 
      </allowedAudienceUris> 
     </issuedTokenAuthentication> 
     <serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94" 
      storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" /> 
     </serviceCredentials> 

WIF：

<microsoft.identityModel> 
<service> 
    <audienceUris> 
    <add value="http://blabla"/> 
    </audienceUris> 
    <securityTokenHandlers> 
    <clear /> 
    <add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add> 
    <!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false"> 
     <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> 
     <certificateValidation> 
     <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/> 
     </certificateValidation> 
     <issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole"> 
     </issuerNameRegistry> 
     <tokenReplayDetection enabled="false"></tokenReplayDetection> 
     <audienceUris mode="Always"> 
     <add value="http://blabla"/> 
     </audienceUris> 
    </securityTokenHandlerConfiguration> --> 
    </securityTokenHandlers> 
    <!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> --> 
    <certificateValidation certificateValidationMode="None" revocationMode="NoCheck"> 
    <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" /> 
    </certificateValidation> 
</service> 

我真的很想重寫認證驗證，就像這個頁面上：http://msdn.microsoft.com/en-us/library/ms733806.aspx。 但我似乎無法得到它的工作，沒有可能的自定義驗證是擊中重寫的Validate（）函數。

有沒有人能夠至少給我一個方向？

在此先感謝！

問候，

Dirco

Answer 1

開箱WIF驗證不工作的？從表面上看，WIF看起來應該不做任何定製/擴展。檢查WIF SDK示例或Web服務示例here。