使用.NET / WIF / WCF查询WS-Trust 1.4STS

Question

我需要使用.NET查询WS Trust1.4服务以启用SAML2.0身份验证场景。

编辑:更准确地说，我需要在客户端支持用户交互挑战，这是在WS Trust 1.4中定义的。

我研究了WIF，它通过WSTrustChannelFactory (参见代码片段中的trustChannelFactory.TrustVersion ...)提供对WS Trust的直接访问。但是似乎只支持WS-Trust1.3和Feb2005？

            WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(getBinding(), "http:/localhost...");

            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
            WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();

            RequestSecurityToken rst = new RequestSecurityToken();

            RequestSecurityTokenResponse rstr = null;
            SecurityToken token = channel.Issue(rst, out rstr);

有人知道如何使用.NET实现这种直接的WS-Trust查询吗？

我不能使用WSHttpFederation绑定，因为我们需要使用SAML2.0，并且在将SAML 2.0身份验证请求传递给IdP之前，必须从应用服务器检索这些请求。

当然，我也可以使用自己的客户端WS-Trust 1.4。实现，但也许有一种更简单的方法...

Answer 1

我使用.NET扩展方法扩展了WIF实现。在这里，您可以看到第一部分(使用RST和SAML Authn请求发出请求)作为如何重用WIF中已定义的内容的示例。我使用了一个IL反汇编程序来查看WIF中的事情是如何完成的，这对我很有帮助……

internal static RequestSecurityTokenResponseWithSAML2Assertion Issue(this WSTrustChannel pThis,
        string pSAML2AuthnRequest,
        Func<ProfileSelectionChallengeType, wsTrust14.ChoiceSelectedType> pProfileSelectionCallback)
    {
        if (pThis != null)
        {
            if (pThis.ChannelFactory != null &&
                pThis.ChannelFactory.Endpoint != null &&
                pThis.ChannelFactory.Endpoint.Binding != null)
            {
                // Create RST Request
                RequestSecurityToken rst = new RequestSecurityToken("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue");
                rst.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";

                // we use WS Trust 1.4 but .NET WIF only provides support for WS Trust 1.3
                // so we add the needed Challenge support and reuse most of the WIF stuff
                if (pThis.TrustVersion != System.ServiceModel.Security.TrustVersion.WSTrust13)
                {
                    throw new Exception("Given WS Trust Version not supported!");
                }

                // create a WS Trust 1.3 SOAP Message
                Message issueRequest = Message.CreateMessage(pThis.ChannelFactory.Endpoint.Binding.MessageVersion,
                    "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue",
                    new WSTrustRequestBodyWriter(rst,
                        pThis.WSTrustRequestSerializer,
                        pThis.WSTrustSerializationContext));

                // add SAML Authn Request to the WS Trust request
                XmlDocument messageAsXml = issueRequest.serializeToXml();
                messageAsXml = SAMLSupport.addSAMLAuthenticationRequest(messageAsXml, pSAML2AuthnRequest);
                issueRequest = issueRequest.generateFromXml(messageAsXml);

                // invoke the WS Trust service on the STS
                Message responseMessage = pThis.Issue(issueRequest);

                // check what we received as answer...
                var response = pThis.parseAndHandleResponse(responseMessage, pProfileSelectionCallback);
                return response;
            }
        }