ADFS ActAs令牌缺少AuthnStatement
ADFS ActAs令牌缺少AuthnStatement
提问于 2014-06-18 21:26:44
我正在尝试编写一个调用REST服务的web应用程序。REST服务需要用户的OAuth令牌。使用用户的用户名和密码,我能够获得一个OAuth令牌(下面的第一个断言),SAML能够使用该令牌给我颁发一个有效的OAuth令牌。因为我在web应用程序中,所以我更喜欢使用ActAs SAML令牌,而不是提示输入已经对域(SSO)进行身份验证的用户的用户名和密码。当我配置ADFS2.0发出一个ActAs令牌(下面是第二个断言)时,它缺少断言的AuthnStatement部分。OAuth STS对此颇有微词。在联系他们的支持人员时,他们告诉我配置ADFS2.0,以便在断言中包含AuthnStatement,也许可以使用自定义规则。在当前的ADFS 2.0配置中,这两者之间的唯一区别是“Delegation Authorization”选项卡。代码中唯一的区别是使用了谁的凭据(实际用户与委托用户),并在RST上设置了ActAs属性。
有没有办法将ADFS 2.0配置为包含此功能?我不认为自定义规则对我有任何好处,因为自定义规则只会创建更多的声明,而AuthnStatement不是声明。
用于创建令牌的代码:
var rst = new RequestSecurityToken
{
RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue",
AppliesTo = new EndpointReference("https://rpserver.mydomain.com/sap/bc/sec/oauth2/token"),
KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer",
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
//commented for actual user and uncommented for ActAs
//the token is from the actual user
//ActAs = new SecurityTokenElement(token)
};使用实际用户的用户名和密码检索的SAML令牌。
<Assertion ID="_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5" IssueInstant="2014-06-18T12:49:32.815Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_d7ea7eb9-e9f6-45a8-95e4-76a53c151de5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
G4LDaRLEEgsKa1/kRwFo+X2BWv0z32Mi0QRym5GlteU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:54:32.815Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:49:32.794Z" NotOnOrAfter="2014-06-18T13:49:32.794Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>
USERIDGOESHERE</AttributeValue>
</Attribute>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2014-06-18T12:49:32.721Z">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>使用使用委派的通用帐户的用户名和密码检索的SAML令牌。
<Assertion ID="_23107d88-d82d-4fa8-b12a-a447aeb6d5f2" IssueInstant="2014-06-18T12:26:03.005Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
http://adfsservername.mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_23107d88-d82d-4fa8-b12a-a447aeb6d5f2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
sKf+1gtkbA9Hbk3H82j9dXf7zlebd3EOcrqlMyygpoY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
removed for clarity</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
removed for clarity</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
USERIDGOESHERE</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-06-18T12:31:03.005Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-06-18T12:26:02.872Z" NotOnOrAfter="2014-06-18T13:26:02.872Z">
<AudienceRestriction>
<Audience>
https://rpservername.mydomain.com/sap/bc/sec/oauth2/token</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="client_id">
<AttributeValue>
MLM_MAT_USER</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor">
<AttributeValue>
<Actor><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>ACTORUSERIDGOESHERE</AttributeValue></Attribute><Attribute Name="client_id" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>MLM_MAT_USER</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AttributeValue a:type="tn:dateTime" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">2014-06-18T12:26:02.681Z</AttributeValue></Attribute></Actor></AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>回答 1
Stack Overflow用户
发布于 2014-06-24 22:17:32
我直接联系了微软的支持人员,下面是我的解释。“这是做不到的,而且是设计出来的,所以做不到。”
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/24286825
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号