ASP.Net ADFS 令牌加密证书私钥
ASP.Net ADFS Token Encryption certificate private key
据此linkhttps://blogs.technet.microsoft.com/askpfeplat/2015/03/01/adfs-deep-dive-onboarding-applications/
我已经在依赖方设置了令牌加密证书,并将 public 密钥导出到 ADFS 提供商
我需要在 asp.net web.config 中进行哪些更改才能解密这些声明。我目前使用 System.Security.Claims.ClaimsPrincipal class 来取回索赔
在启用 ADFS 作为身份提供者时,对 web.config 进行了很多更改。我经常发现简单地创建一个新的 MVC 项目并使用更改身份验证向导到 select ADFS 会更容易。输入详细信息后,它将使用所需的设置自动更新 web.config,然后您可以将其复制到另一个项目。
下面我试图列出所有需要的条目,但是我可能遗漏了一些。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<appSettings>
<add key="ida:FederationMetadataLocation" value="https://YOURADFS/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Realm" value="https://YOURURL/" />
<add key="ida:AudienceUri" value="https://YOURURL/" />
</appSettings>
<system.web>
<machineKey validationKey="YOURMACHINEKEY" decryptionKey="YOURDECRYPTIONKEY" validation="SHA1" decryption="AES" />
</system.web>
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://YOURURL/" />
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://YOURADFS/adfs/services/trust">
<keys>
<add thumbprint="YOURCERTIFICATETHUMB" />
</keys>
<validIssuers>
<add name="http://YOURADFS/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" name="YOURCOOKIENAME" />
<wsFederation passiveRedirectEnabled="true" issuer="https://YOURADFS/adfs/ls/" realm="https://YOURURL/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
</configuration>
您当然必须将这些值替换为您自己环境的相应值。
让它现在对任何人都有效。 web.config 中需要更改以下内容。将 XXXX 替换为您的证书指纹
<system.identityModel.services>
<federationConfiguration>
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="XXXX" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
<cookieHandler requireSsl="false" />
<wsFederation ... />
</federationConfiguration>
</system.identityModel.services>
据此linkhttps://blogs.technet.microsoft.com/askpfeplat/2015/03/01/adfs-deep-dive-onboarding-applications/
我已经在依赖方设置了令牌加密证书,并将 public 密钥导出到 ADFS 提供商
我需要在 asp.net web.config 中进行哪些更改才能解密这些声明。我目前使用 System.Security.Claims.ClaimsPrincipal class 来取回索赔
在启用 ADFS 作为身份提供者时,对 web.config 进行了很多更改。我经常发现简单地创建一个新的 MVC 项目并使用更改身份验证向导到 select ADFS 会更容易。输入详细信息后,它将使用所需的设置自动更新 web.config,然后您可以将其复制到另一个项目。
下面我试图列出所有需要的条目,但是我可能遗漏了一些。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<appSettings>
<add key="ida:FederationMetadataLocation" value="https://YOURADFS/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Realm" value="https://YOURURL/" />
<add key="ida:AudienceUri" value="https://YOURURL/" />
</appSettings>
<system.web>
<machineKey validationKey="YOURMACHINEKEY" decryptionKey="YOURDECRYPTIONKEY" validation="SHA1" decryption="AES" />
</system.web>
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://YOURURL/" />
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://YOURADFS/adfs/services/trust">
<keys>
<add thumbprint="YOURCERTIFICATETHUMB" />
</keys>
<validIssuers>
<add name="http://YOURADFS/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" name="YOURCOOKIENAME" />
<wsFederation passiveRedirectEnabled="true" issuer="https://YOURADFS/adfs/ls/" realm="https://YOURURL/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
</configuration>
您当然必须将这些值替换为您自己环境的相应值。
让它现在对任何人都有效。 web.config 中需要更改以下内容。将 XXXX 替换为您的证书指纹
<system.identityModel.services>
<federationConfiguration>
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="XXXX" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
<cookieHandler requireSsl="false" />
<wsFederation ... />
</federationConfiguration>
</system.identityModel.services>