本主题讨论如何为信赖方应用程序或安全令牌服务 (STS) 配置安全令牌处理程序。
您可以通过应用程序的配置文件来配置安全令牌处理程序,也可以用编程方式来创建配置对象并将该对象设置为安全令牌处理程序的属性。
建议您不要对单个令牌处理程序设置 Configuration 属性, 而应该对令牌处理程序集合设置 Configuration 属性。 如果必须对单个令牌处理程序设置 Configuration 属性,则应该先将处理程序添加到集合中,然后再进行设置。 这是因为在将令牌处理程序添加到集合中时,处理程序的 Configuration 便设置为该集合的配置,而处理程序的 ContainingCollection 属性便设置为集合实例。 另外,从集合中删除令牌处理程序会导致属性变为 Null。
此外,不应将一个令牌处理程序添加到多个集合中。 这样会导致错误,原因是前面所述的行为。 如果同一集合中需要多个具有不同配置的令牌处理程序,则应该先将这些处理程序添加到集合中,然后创建新的 SecurityTokenHandlerConfiguration 实例并将其逐个指派给每个处理程序,以确保不会出现共享状态的意外情况。
如果在没有集合的情况下使用单个令牌处理程序,则也可以对其设置 Configuration 属性。
安全令牌处理程序配置还可以在应用程序的配置文件中进行设置。 下面是一个配置示例:
<microsoft.identityModel> <!-- This is equivalent to the ServiceConfiguration class. --> <service> <!-- This is equivalent to the default token handler collection, ServiceConfiguration.SecurityTokenHandlers --> <securityTokenHandlers> <!-- This is the collection-level configuration, not the handler-level configuration. Note that you can programmatically configure an individual token handler as described previously, though that is not recommended. However, you cannot do so in a configuration file. --> <securityTokenHandlerConfiguration> <!-- IssuerNameRegistry contains the trusted issuers list.--> <issuerNameRegistry /> <!-- ServiceTokenResolver is for resolving the encryption certificates while decrypting the token.--> <serviceTokenResolver /> <!-- IssuerTokenResolver is for resolving the signing certificates while verifying the signature of the token issued by an STS. --> <issuerTokenResolver /> <!-- AudienceUris contains the URIs where the application expects the security tokens to be delivered. --> <audienceUris mode="Always" /> </securityTokenHandlerConfiguration> </securityTokenHandlers> <!-- This is equivalent to looking up the ActAs token handler collection in the token handler collection manager using either of the following: ServiceConfiguration.SecurityTokenHandlerCollectionManager["ActAs"] ServiceConfiguration.SecurityTokenHandlerCollectionManager[ SecurityTokenHandlerCollectionManager.Usage.ActAs]; --> <securityTokenHandlers name="ActAs"> </securityTokenHandlers> <issuerNameRegistry ... /> <serviceTokenResolver ... /> </service> <!-- This is equivalent to creating a new ServiceConfiguration as follows: new ServiceConfiguration("CustomService"); --> <service name="CustomService"> </service> </microsoft.identityModel>
为 X509CertificateTokenHandler 配置吊销和验证设置
下面的代码说明如何以编程方式为 X509CertificateTokenHandler 配置吊销和验证设置。
using Microsoft.IdentityModel.Tokens; using Microsoft.IdentityModel.Configuration; using System.IdentityModel.Selectors; using System.Security.Cryptography.X509Certificates; using System.ServiceModel.Security;
class Sample { public static void ConfigureCustomValidator() { // 1a. Configure a service configuration object (custom) ServiceConfiguration serviceConfig = new ServiceConfiguration(); serviceConfig.CertificateValidationMode = X509CertificateValidationMode.Custom; serviceConfig.CertificateValidator = new CustomX509Validator();
// 1b. Configure an individual X509SecurityTokenHandler (custom) X509CertificateValidator customValidator = new CustomX509Validator(); X509SecurityTokenHandler x509Handler = new X509SecurityTokenHandler(customValidator); }
public static void DisableRevocationMode() { // 2a. Configure a service configuration object (change revocation mode) ServiceConfiguration serviceConfig = new ServiceConfiguration(); serviceConfig.RevocationMode = X509RevocationMode.NoCheck; serviceConfig.TrustedStoreLocation = StoreLocation.LocalMachine; serviceConfig.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
// 2b. Configure an individual X509SecurityTokenHandler (change revocation mode) X509SecurityTokenHandler x509Handler = new X509SecurityTokenHandler(); X509ChainPolicy chainPolicy = new X509ChainPolicy(); chainPolicy.RevocationMode = X509RevocationMode.NoCheck; x509Handler.CertificateValidator = X509CertificateValidator.CreateChainTrustValidator(true, chainPolicy); }
class CustomX509Validator : X509CertificateValidator { public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) { // Insert validation logic here. } } }
如何配置 Windows 凭据映射
下面的代码片段说明如何配置 Windows 凭据映射:
X509SecurityTokenHandler x509Handler = new X509SecurityTokenHandler(); x509Handler.MapToWindows = true;
UserNameSecurityTokenHandler usernameHandler = new WindowsUserNameSecurityTokenHandler();
Saml11SecurityTokenHandler saml11Handler = new Saml11SecurityTokenHandler(); saml11Handler.SamlSecurityTokenRequirement.MapToWindows = true;
Saml2SecurityTokenHandler saml2Handler = new Saml2SecurityTokenHandler(); saml2Handler.SamlSecurityTokenRequirement.MapToWindows = true;