通过 AD FS 从 VB Win Application Form 获取 AD 用户信息

Getting AD User info from VB Win Application Form via AD FS

我有一个 Win Form 应用程序(不在 Intranet 中),我想在其中实现一个功能,您可以在其中插入 AD 凭据,并且该应用程序应通过网络发布的 ADFS(标准 https:/ /[adfsurl]/adfs/ls/idpinitiatedsignon.aspx) 并获取这些信息(例如您所属的 AD 组)。

我开始研究,但大多数示例都是针对 ASP.NET 和 Intranet 场景中的 MVC 或 WIF。

您建议采用哪种方法?

因此,我能够创建一个 MVC asp.net 项目并获取所需的信息,例如,我可以检索连接的用户组。

正如我之前提到的,这是一个 WinForms 工具,需要在用户 PC 上安装,因此 MVC 项目将无法运行。

我尝试搜索一些不需要 Web 组件的代码,最后我能够创建一些连接到我的 adfs 的代码并取回令牌。

 Dim sEndPointAddress As String = "https://domain/adfs/ls/idpinitiatedsignon.aspx"
        Dim binding As New WS2007HttpBinding()
        binding.Security.Message.EstablishSecurityContext = False
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None
        binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName
        binding.Security.Mode = SecurityMode.TransportWithMessageCredential


        Dim trustChannelFactory As New WSTrustChannelFactory(binding, New EndpointAddress("https://domain/adfs/services/trust/13/usernamemixed"))
        trustChannelFactory.TrustVersion = TrustVersion.WSTrust13
        trustChannelFactory.Credentials.UserName.UserName = "username"

        trustChannelFactory.Credentials.UserName.Password = "password"

        Dim requestToken As New RequestSecurityToken(RequestTypes.Issue)
        requestToken.AppliesTo = New EndpointReference(sEndPointAddress)

        requestToken.Claims.Dialect = "http://docs.oasis-open.org/wsfed/authorization/200706/authclaims"
        requestToken.Claims.Add(New RequestClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", True, "Windows account name"))
        requestToken.Claims.Add(New RequestClaim("request", True, "id"))



        Dim tokenClient As WSTrustChannel = CType(trustChannelFactory.CreateChannel(), WSTrustChannel)
        Try
            Dim token As Object = tokenClient.Issue(requestToken)

既然我有了令牌,我该如何检索我需要的广告信息?那是我发送的 RequestClaim 的一部分吗? 以及如何将从此工具生成的请求添加到依赖方信任?

我终于能够让它工作了,我不得不在 ADFS 中创建一个新的应用程序并生成一个自签名证书。

代码如下:

Private Sub GetToken()
    Const certSubject As String = "CN=[CN of the cert]"
    Dim sEndPointAddress As String = "https://domain/adfs/services/myapp"
    Dim binding As New WS2007HttpBinding()
    binding.Security.Message.EstablishSecurityContext = False
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None
    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential


    Dim trustChannelFactory As New WSTrustChannelFactory(binding, New EndpointAddress("https://domain/adfs/services/trust/13/usernamemixed"))
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13
    trustChannelFactory.Credentials.UserName.UserName = [user]
    trustChannelFactory.Credentials.UserName.Password = [password]

    Dim requestToken As New RequestSecurityToken(RequestTypes.Issue)
    requestToken.AppliesTo = New EndpointReference(sEndPointAddress)
    requestToken.RequestType = RequestTypes.Issue
    requestToken.KeyType = KeyTypes.Bearer

    requestToken.Claims.Dialect = "http://docs.oasis-open.org/wsfed/authorization/200706/authclaims"

    Dim channel As IWSTrustChannelContract = trustChannelFactory.CreateChannel()

    Dim tokenClient As WSTrustChannel = CType(trustChannelFactory.CreateChannel(), WSTrustChannel)
    Try
        Dim token As GenericXmlSecurityToken = tokenClient.Issue(requestToken)

        Dim tokenHandlers = New SecurityTokenHandlerCollection(New SecurityTokenHandler() {New SamlSecurityTokenHandler()})
        tokenHandlers.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never
        tokenHandlers.Configuration.CertificateValidationMode = X509CertificateValidationMode.None
        tokenHandlers.Configuration.RevocationMode = X509RevocationMode.NoCheck
        tokenHandlers.Configuration.CertificateValidator = X509CertificateValidator.None
        tokenHandlers.Configuration.AudienceRestriction = New AudienceRestriction()
        tokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(New Uri(sEndPointAddress))

        Dim trusted = New TrustedIssuerNameRegistry(certSubject)
        tokenHandlers.Configuration.IssuerNameRegistry = trusted

        'convert the generic security token to a saml token
        Dim samlToken = tokenHandlers.ReadToken(New XmlTextReader(New StringReader(token.TokenXml.OuterXml)))

        'convert the saml token to a claims principal
        Dim ClaimsPrincipal = New ClaimsPrincipal(tokenHandlers.ValidateToken(samlToken).First())

        'Display token information
        Console.WriteLine("Name : " + ClaimsPrincipal.Identity.Name)
        Console.WriteLine("Auth Type : " + ClaimsPrincipal.Identity.AuthenticationType)
        Console.WriteLine("Is Authed : " + ClaimsPrincipal.Identity.IsAuthenticated.ToString())
        For Each c As System.Security.Claims.Claim In ClaimsPrincipal.Claims
            Console.WriteLine(c.Type + " / " + c.Value)
            Console.ReadLine()
           
        Next

        Form1.lbl_Hello.Text = "Hi, " + ClaimsPrincipal.Identity.Name

    Catch ex As Exception
        If ex.Message.Contains("ID3242") Then
            MsgBox("Invalid Credentials")
        Else
            MsgBox(ex.Message)
        End If

    End Try
End Sub