如何將證書傳遞給WSTrust以獲取Saml令牌

Question

以下是使用WSTrustChannelFactory獲取tokem的示例。 From here。

var stsBinding = new WS2007HttpBinding(); 
stsBinding.Security.Mode = SecurityMode.TransportWithMessageCredential; 
stsBinding.Security.Message.EstablishSecurityContext = false; 
stsBinding.Security.Message.NegotiateServiceCredential = false; 
stsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate; 


WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
    stsBinding 
    , new EndpointAddress(tokenurl) 
    ); 
trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13; 

X509Store myStore = new X509Store(StoreName.My, StoreLocation.LocalMachine); 
myStore.Open(OpenFlags.ReadOnly); 
X509Certificate2Collection coll = myStore.Certificates.Find(X509FindType.FindBySerialNumber, "MycertSerialNumber", true); 
X509Certificate2 cert = coll[0]; 
trustChannelFactory.Credentials.ClientCertificate.Certificate = cert; 

WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel(); 

RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, keyType); 
rst.AppliesTo = new EndpointAddress(realm); 
RequestSecurityTokenResponse rstr = null; 
rst.TokenType = SecurityTokenTypes.Saml; 

SecurityToken token = channel.Issue(rst, out rstr); 

現在我沒有用戶名/密碼，但提供者給了我證書.pfx文件。 如何將它傳遞給WSTrushChannelFactory？我試過使用CertificateBinding但沒有成功。

更新的代碼上面：2014年11月5日：

收到此錯誤：ID3242：安全令牌無法被驗證或授權。

Answer 1

使用ClientCertificate屬性：

var stsBinding = new WS2007HttpBinding(); 
stsBinding.Security.Mode = SecurityMode.TransportWithMessageCredential; 
stsBinding.Security.Message.EstablishSecurityContext = false; 
stsBinding.Security.Message.NegotiateServiceCredential = false; 

// select the authentication mode of Client Certificate 
stsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate; 

var wifChannelFactory = new WSTrustChannelFactory(stsBinding, stsEndpoint); 
wifChannelFactory.TrustVersion = TrustVersion.WSTrust13; 

// Supply the credentials 
wifChannelFactory.Credentials.ClientCertificate.Certificate = config.Certificate; 

的PFX你可以通過certmgr.msc管理單元import to your certificate店。確保您的應用程序運行的帳戶爲has access to the private key。你可以使用x509certificate2類reference it in the store。

Answer 2

你在這裏。

private static SecurityToken RequestSecurityToken()  
{  
    // set up the ws-trust channel factory  
    var factory = new WSTrustChannelFactory( 
     new UserNameWSTrustBinding(
      SecurityMode.TransportWithMessageCredential),  
      _idpAddress);  
    factory.TrustVersion = TrustVersion.WSTrust13;    

    var authCertificate = X509.LocalMachine.My.Thumbprint.Find(Properties.Settings.Default.RassCertificateThumbprint).FirstOrDefault(); 
    if (authCertificate == null) 
     throw new InternalException(String.Format("No atuhentication certificate found in store with thumbprint {0}.", Properties.Settings.Default.ClientCertificateThumbprint)); 

    // overenie je na zaklade certifikatu RASS 
    factory.Credentials.ClientCertificate.Certificate = authCertificate; 

    // create token request 
    var rst = new RequestSecurityToken  
    {  
     RequestType = RequestTypes.Issue, 
     KeyType = KeyTypes.Symmetric,  
     AppliesTo = new EndpointReference(_serviceAddress.AbsoluteUri)  
    }; 

    // request token and return 
    return factory.CreateChannel().Issue(rst);  
} 

順便說一句：@Mitch是正確的訪問私鑰。我只是採取了你的方法，並更換了幾行代碼。