开发者

WIF WSTrustSerializationException - Claims dialect cannot be set to a custom value?

开发者 https://www.devze.com 2023-02-05 08:50 出处:网络
I have the following code trying to make an \"Issue\" request with WIF. When I run it I get the following exception. Isn\'t it possible to request a Security Token using Issue with 开发者_运维知识库a

I have the following code trying to make an "Issue" request with WIF.

When I run it I get the following exception. Isn't it possible to request a Security Token using Issue with 开发者_运维知识库a custom claim?

Additional information: ID3257: RequestSecurityToken contains at least one Claim with a Claim value specified but the RequestClaimCollection.Dialect is set to 'urn:custom_namespace:sts:1_0'. The RequestClaimCollection.Dialect must be set to 'http://docs.oasis-open.org/wsfed/authorization/200706/authclaims' for the value to be serialized out.

The code:

private const string CLAIMS_DIALECT = "urn:custom_namespace:sts:1_0";
private const string REQUEST_CLAIM_TYPE = "urn:custom_namespace:sts:1_0";
private const string REQUEST_CLAIM_VALUE = "urn:oasis:names:tc:SAML2.0:consent:current-explicit";


public System.IdentityModel.Tokens.SecurityToken RequestSecurityToken(string input)
{
    System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);

    WS2007HttpBinding binding = new WS2007HttpBinding();
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

    var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri(STS_URL)));
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;

    trustChannelFactory.Credentials.ClientCertificate.Certificate = GetCertificateBySubjectName(LOCALHOST_CERTIFICATE_SUBJECT_NAME);
    trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
    trustChannelFactory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

    try
    {
        RequestSecurityToken rst = new RequestSecurityToken();

        rst.AppliesTo = new EndpointAddress(new Uri(APPLIES_TO_URL), new X509CertificateEndpointIdentity(GetCertificateBySubjectName(LOGON_SERVICE_CERTIFICATE_SUBJECT_NAME)));
        rst.ActAs = BuildSecurityTokenElementFromInput(input);
        rst.RequestType = RequestTypes.Issue;
        rst.Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5));
        rst.Claims.Dialect = CLAIMS_DIALECT;
        var requestClaim = new RequestClaim(REQUEST_CLAIM_TYPE, false, REQUEST_CLAIM_VALUE);
        rst.Claims.Add(requestClaim);

        WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();

        RequestSecurityTokenResponse rstr = null;

        return channel.Issue(rst, out rstr);
    }
    finally
    {
        trustChannelFactory.Close();
    }
}


I'm not sure you need to change the rst.Claims.Dialect in order to make this work. What happens if you leave it as default?


You want to add requsted claims to RequestSecurityToken. It means the STS shsould issue token with specified claims. Basically there is not need to to it but if you are shure you must set dialect. That is true.

0

精彩评论

暂无评论...
验证码 换一张
取 消