问题描述
大家好!
我必须为以下描述的以下基本代理身份验证方案实现一个STS:
图3.当客户端和服务不共享信任关系时,使用代理执行身份验证"
http://msdn.microsoft.com/en-us/library/aa480569.aspx
应该使用WS-Security(版本1.1),WS-Trust(2005年2月),WS-SecureConversation(2005年2月),
WS-SecurityPolicies(2005年7月).客户端必须从STS获得一个SecureConversationToken
,并使用创建的SCT向Business-Service进行身份验证.如有必要,业务服务应通过STS验证Client-SCT.
WCF提供wsHttpBinding
/ws2007HttpBinding
.这些绑定可以非常简单地在两个通信伙伴(例如客户端和服务)(配置文件..)之间建立SecureConversation
.但是如何根据您之前在链接中看到的代理身份验证方案来扩展此安全会话方案?在这种情况下,不应使用SAML令牌.
1)我可以自定义
吗?WsHttpBinding
/WSHttp2007Binding
使用上面提到的WS-Security规范?
缓存的SecurityContextToken在STS或服务中的什么位置?
如何在STS中完全控制SCT管理?SecurityContextToken
如何生成?
是否应该覆盖SecurityTokenManager
,SecurityTokenProvider
和其他类,以便完全控制SecureConversation
机制?我该怎么做?有人有样品吗?
2)我的第二个想法是,我将禁用 web.config (<message establishSecurityContext="false" negotiateServiceCredential="true"/>
)中的SecureConversation
设置,并且只需在STS中实现一个端点即可响应WS- SecureConversation
的请求,并且WS-Trust操作,例如:
行动:http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
RequestType:http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
行动:http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
RequestType:http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
........
3)如何验证来自具有STS的SCT的客户的请求?是否应该通过验证?
有人为我的问题提供样品吗?我迫切需要它,对于您的答复,我将不胜感激!
谢谢!
欢呼Valentin
hi everybody!
I have to implement one STS for the following basic brokered-authentication scenario depicted in:
"Figure 3. Using a broker to perform authentication when client and service do not share trust relationship"
http://msdn.microsoft.com/en-us/library/aa480569.aspx
There should be used WS-Security(Version 1.1), WS-Trust(Februar 2005), WS-SecureConversation(February 2005),
WS-SecurityPolicies(Juli 2005). Clients have to get one SecureConversationToken
from STS and authenticate with the Business-Service with a created SCT. The Business-Service should validate the Client-SCT by STS if necessary.
WCF provides wsHttpBinding
/ws2007HttpBinding
. These bindings can establish SecureConversation
very simply between two communication partners such as client and service (config file..). BUT how can I extend this security-conversation scenario to be based on a brokered-authentication scenario you can see in the link before? No SAML-Token should be used in this scenario.
1) Can i customize theWsHttpBinding
/WSHttp2007Binding
to use the WS-Security specifications mentioned above?
Where will the cached SecurityContextTokens be in STS or in an Service?
How can I get full control on SCT management in STS?
How will the SecurityContextToken
be generated ?
Should I overwrite the SecurityTokenManager
, SecurityTokenProvider
and other classes so that I have full control about SecureConversation
mechanism? How can I make it? Does anyone have a sample on it ?
2) My second idea is that I would disable the SecureConversation
setting in web.config (<message establishSecurityContext="false" negotiateServiceCredential="true"/>
) and would simply implement one endpoint in STS that responds to requests with WS-SecureConversation
and WS-Trust Actions like:
Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
RequestType: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
RequestType: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
........
3) How could the request from Client with one SCT at STS be validated? Should it be validated?
Does anyone have a sample for my problem? I need it urgently and I would be very grateful for your replies!
Thank you!
Cheers Valentin
推荐答案
这篇关于用于基本代理身份验证的WCF:具有WS-Trust,WS-SecureConversation,WS-SecurityPolicies的STS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!