使用令牌身份验证的WCF over net.tcp在TokenHandler和AuthorisationManager之间丢失声明

Question

我们在WCF中使用自定义绑定来使用安全令牌(SAML)进行身份验证.我们发现我们正在获取服务器端,并且看到TokenHandler(派生自Saml11SecurityTokenHandler)正确处理并授权令牌然后返回新的ClaimsIdentity.

但是,当处理然后调用AuthorisationManager.CheckAccessCore(派生自IdentityModelServiceAuthorizationManager)时,operationContext.ServiceSecurityContext.PrimaryIdentity是一个没有填充任何内容的GenericIdentity.

我们在下面的绑定的http实现非常相似,并且工作正常,我们可以看到令牌被验证并返回ClaimsIdentity,然后我们观察AuthorizationManager处理相同的身份并允许它们通过.

该netTcp结合是基于代码之一,如下所示:

    /// <summary>
    /// NetTcp binding that supports a Saml token being passed
    /// </summary>
    public class SamlNetTcpBinding : CustomBinding
    {
        private readonly TcpTransportBindingElement _transportBindingElement;
        private readonly BinaryMessageEncodingBindingElement _encodingBindingElement;
        // private readonly SecurityBindingElement _securityBindingElement;

        /// <summary>
        /// Initializes a new instance of the <see cref="SamlNetTcpBinding"/> class.
        /// </summary>
        public SamlNetTcpBinding()
        {
            IssuerAddress = "http://www.myIssuerAddress.com/";

            _transportBindingElement = new TcpTransportBindingElement()
            {
                TransferMode = TransferMode.Streamed, PortSharingEnabled = true
            }; 
            _encodingBindingElement = new BinaryMessageEncodingBindingElement();   
        }

        /// <summary>
        /// Returns a generic collection of the binding elements from the custom binding.
        /// </summary>
        /// <returns>
        /// An <see cref="T:System.Collections.Generic.ICollection`1" /> object of type <see cref="T:System.ServiceModel.Channels.BindingElement" /> that contains the binding elements from the custom binding.
        /// </returns>
        public override BindingElementCollection CreateBindingElements()
        {
            return new BindingElementCollection()
            {
                new TransactionFlowBindingElement(TransactionProtocol.WSAtomicTransactionOctober2004),
                CreateSecurityBindingElement(),
                new SslStreamSecurityBindingElement(),
                _encodingBindingElement,
                _transportBindingElement
            };
        }

        /// <summary>
        /// Provide definition for the scheme.
        /// </summary>
        /// <returns>The URI scheme for transport used by the custom binding; or an empty string if there is no transport (<see cref="T:System.ServiceModel.Channels.TransportBindingElement" /> is null).</returns>
        public override String Scheme
        {
            get { return "net.tcp"; }
        }

        /// <summary>
        /// Gets or sets the issuer address.
        /// </summary>
        /// <value>
        /// The issuer address.
        /// </value>
        public string IssuerAddress { get; set; }

        /// <summary>
        /// Create client side binding certificate.
        /// </summary>
        /// <returns>A security Binding element</returns>
        private SecurityBindingElement CreateSecurityBindingElement()
        {
            var protectionParameters = new X509SecurityTokenParameters(
                X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);

            // Configure token issuance parameters.
            var parameters = new IssuedSecurityTokenParameters(
                SecurityTokenTypes.OasisWssSaml11TokenProfile11,
                new EndpointAddress(IssuerAddress),
                new BasicHttpBinding())
            {
                KeyType = System.IdentityModel.Tokens.SecurityKeyType.BearerKey,
                InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient
            };

            var element = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(parameters);
            element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            element.EndpointSupportingTokenParameters.Endorsing.Add(protectionParameters);

            return element;
        }
    }

非常感谢任何想法或建议.由于.net管道处理大量的编排 - 很难确定身份丢失的位置.我相当确信System.ServiceModel正在某处丢失它,有什么不足之处就是为什么net.tcp传输会导致这种情况,http却没有.

谢谢

Answer 1

(对于读者的信息,我知道Chubby Ass,我们已经离线讨论过,包括分享一些额外的代码,但我发布了我可以在这里帮助其他可能遇到同样问题的人)

ServiceSecurityContext.PrimaryIdentity只会返回ClaimsIdentity,如果它是范围中唯一的那个.如果存在多于1个身份,则它无法识别哪个是主要身份,因此返回通用身份.

在您的方案中,您在上下文中有2个身份:来自SAML令牌的声明身份,还有一个表示调用者附加的客户端证书,net.tcp需要的内容,但不能用于basicHttp进行身份验证.要访问ClaimsIdentity,您需要更新ClaimsServiceAuthorisationManager,如下所示:

        var identity = securityContext.PrimaryIdentity as IClaimsIdentity;
        if (identity == null)
        {
            // If there is more than 1 identity, for example if there is also a certificate then PrimaryIdentity will be null.
            if (securityContext.AuthorizationContext.Properties.ContainsKey("Principal"))
            {
                var principal = securityContext.AuthorizationContext.Properties["Principal"] as IClaimsPrincipal;
                if (principal != null)
                {
                    identity = principal.Identity as IClaimsIdentity;
                }
            }

            if (identity == null)
            {
                throw new InvalidOperationException("PrimaryIdentity identity is not an IClaimsIdentity");
            }
        }