使用ADFS2作为IP,使用WIF保护后端WCF服务

Question

我在使用ADFS2来保护从Passively Federated网站调用的后端WCF服务时遇到问题.我有被动联盟在网站上工作,但后端服务给我带来了问题.

拼图的碎片.

1. 从被动联合网站提供服务的Silverlight客户端.
2. Silverlight调用托管在被动联合网站上的WCF服务(App Service).
3. 我在配置中将SaveBootstrapToken设置为true.
4. 从App Service,我想使用带有ActAs scenarion的BootstrapToken来调用后端WCF服务.
5. 联合网站和后端WCF服务在ADFS2中设置为单独的RP,启用令牌加密.两者都被允许委托.

后端服务配置:

我使用行为扩展将WIF合并到管道中.

<ws2007FederationHttpBinding>
  <binding name="WS2007FederationHttpBinding_IQuoteService">
    <security mode="TransportWithMessageCredential">
      <message establishSecurityContext="false">
        <issuer address="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256">
        </issuer>
        <issuerMetadata address="https://myADFSserver/adfs/services/trust/mex">
        </issuerMetadata>
      </message>
    </security>
  </binding>
</ws2007FederationHttpBinding>


<behaviors>
  <serviceBehaviors>
    <behavior name="">
      <federatedServiceHostConfiguration name="Service.QuoteService" />
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceCredentials>
        <serviceCertificate findValue="000000000000000000000000000000" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

<services>
  <service name="Service.QuoteService">
    <endpoint address="" binding="ws2007FederationHttpBinding" contract="Service.IQuoteService" bindingConfiguration="WS2007FederationHttpBinding_IQuoteService" />
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>

客户端配置

使用"添加服务引用"工具添加服务时,将在客户端上创建以下配置:

<customBinding>
  <binding name="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256">
    <security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenOverTransport"
      requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
      keyEntropyMode="CombinedEntropy" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
      <issuedTokenParameters keySize="256" keyType="SymmetricKey" tokenType="">
        <additionalRequestParameters>
          <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
            <trust:KeySize>256</trust:KeySize>
            <trust:KeyWrapAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
            <trust:EncryptWith>http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
            <trust:SignatureAlgorithm>http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignatureAlgorithm>
            <trust:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
            <trust:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
          </trust:SecondaryParameters>
        </additionalRequestParameters>
      </issuedTokenParameters>
      <localClientSettings cacheCookies="true" detectReplays="false"
        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
      <localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
        reconnectTransportOnFailure="true" maxPendingSessions="128"
        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
      <secureConversationBootstrap />
    </security>
    <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
      messageVersion="Default" writeEncoding="utf-8">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
    </textMessageEncoding>
    <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
      maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
      bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
      keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
      realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
      useDefaultWebProxy="true" requireClientCertificate="false" />
  </binding>
</customBinding>


<ws2007FederationHttpBinding>
  <binding name="WS2007FederationHttpBinding_IQuoteService" closeTimeout="00:01:00"
    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
    maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
    textEncoding="utf-8" useDefaultWebProxy="true">
    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
      maxBytesPerRead="4096" maxNameTableCharCount="16384" />
    <reliableSession ordered="true" inactivityTimeout="00:10:00"
      enabled="false" />
    <security mode="Message">
      <message algorithmSuite="Default" issuedKeyType="SymmetricKey"
        negotiateServiceCredential="true">
        <issuer address="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256"
          binding="customBinding" bindingConfiguration="https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256" />
        <issuerMetadata address="https://myADFSserver/adfs/services/trust/mex" />
        <tokenRequestParameters>
          <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
            <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
            <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
              xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
              <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
            </trust:Claims>
            <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
            <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
            <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
            <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
            <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
          </trust:SecondaryParameters>
        </tokenRequestParameters>
      </message>
    </security>
  </binding>
</ws2007FederationHttpBinding>


<client>
  <endpoint address="http://myServiceHost/Service/QuoteService.svc"
    binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IQuoteService"
    contract="QuoteService.IQuoteService" name="WS2007FederationHttpBinding_IQuoteService">
    <identity>
      <certificate encodedValue="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
    </identity>
  </endpoint>
</client>

这是服务客户端代码:

List<Quote> quoteList = new List<Quote>();

ClaimsPrincipal myClaimsPrincipal = System.Web.HttpContext.Current.User as ClaimsPrincipal;
SecurityToken bootstrapToken = myClaimsPrincipal.Identities[0].BootstrapToken;
if (bootstrapToken == null)
{
    throw new Exception("bootstrap tokein is null. Logout and try again.");
}

ChannelFactory<IQuoteServiceChannel> factory = new ChannelFactory<IQuoteServiceChannel>("WS2007FederationHttpBinding_IQuoteService");
factory.Credentials.SupportInteractive = false;

factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "0000000000000000000000000000");
factory.ConfigureChannelFactory();

IQuoteServiceChannel channel;

//Create the channel with the bootstrap token
channel = factory.CreateChannelActingAs(bootstrapToken);

try
{
    quoteList = channel.GetQuotes(quoteUser);
    channel.Close();
}
catch (SecurityAccessDeniedException sadex)
{
    channel.Abort();
    throw;
}
catch (CommunicationException exception)
{
    channel.Abort();
    throw;
}
catch (TimeoutException timeoutEx)
{
    channel.Abort();
    throw;
}
catch (Exception ex)
{
    channel.Abort();
    throw;
}

return quoteList;

这是我得到的例外:

System.ServiceModel.Security.SecurityNegotiationException was unhandled by user code
  Message=SOAP security negotiation with 'https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256' for target 'https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256' failed. See inner exception for more details.
  Source=mscorlib
  StackTrace:
    Server stack trace: 
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at Microsoft.IdentityModel.Protocols.WSTrust.FederatedSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.TryGetTokenSynchronouslyForOutgoingSecurity(Message message, SecurityProtocolCorrelationState correlationState, Boolean isBlockingCall, TimeSpan timeout, SecurityToken& token, SecurityTokenParameters& tokenParameters, SecurityToken& prerequisiteWrappingToken, IList`1& supportingTokens, SecurityProtocolCorrelationState& newCorrelationState)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.SecureOutgoingMessageCore(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
       at System.ServiceModel.Security.MessageSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at OMG.Admin.DemoApp.Business.QuoteService.IQuoteService.GetQuotes(User quoteUser)
       at OMG.Admin.DemoApp.Business.QuoteServiceClient.GetQuotes(User quoteUser) in C:\OMG_TFS01\OMG.Admin\OMG.Admin.DemoApp\OMG.Admin.DemoApp.Business\QuoteServiceClient.cs:line 131
       at OMG.Admin.DemoApp.Business.QuoteBO.GetQuoteList() in C:\OMG_TFS01\OMG.Admin\OMG.Admin.DemoApp\OMG.Admin.DemoApp.Business\QuoteBO.cs:line 26
       at OMG.Admin.DemoApp.Web.Services.DemoAppService.GetQuotes() in C:\OMG_TFS01\OMG.Admin\OMG.Admin.DemoApp\OMG.Admin.DemoApp.Web\Services\DemoAppService.svc.cs:line 27
       at SyncInvokeGetQuotes(Object , Object[] , Object[] )
       at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
       at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
  InnerException: System.InvalidOperationException
       Message=The address of the security token issuer is not specified. An explicit issuer address must be specified in the binding for target 'https://myADFSserver/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256' or the local issuer address must be configured in the credentials.
       Source=mscorlib
       StackTrace:
         Server stack trace: 
            at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement)
            at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, Boolean disableInfoCard)
            at Microsoft.IdentityModel.Protocols.WSTrust.FederatedClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
            at System.ServiceModel.Security.SecurityProtocol.AddSupportingTokenProviders(SupportingTokenParameters supportingTokenParameters, Boolean isOptional, IList`1 providerSpecList)
            at System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout)
            at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
            at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
            at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
            at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
            at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
            at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
         Exception rethrown at [0]: 
            at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
            at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
            at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
            at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       InnerException:

我确定我在配置和/或代码中缺少一些东西可以帮助我吗？

Answer 1

我让这个场景起作用了，here\xe2\x80\x99s 是任何感兴趣的人的解决方案。

\n\n

关注 Dominick Baier\xe2\x80\x99s 帖子以获取想法/代码：http://leastprivilege.com/2010/10/14/wif-adfs-2-and-wcfpart-5-service-client-more-flexibility-with -wstrustchannelfactory/

\n\n

我将后端 WCF 服务配置更改为：

\n\n

<microsoft.identityModel>\n  <service>\n    <audienceUris>\n      <add value="https://localhost/Service/QuoteService.svc" />\n      <add value="https://localhost/Service/" />\n    </audienceUris>\n    <serviceCertificate>\n      <certificateReference x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />\n    </serviceCertificate>\n    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">\n      <trustedIssuers>\n        <add thumbprint="000000000000000000000000000000000000" name="http://myADFSserver/adfs/services/trust" />\n      </trustedIssuers>\n    </issuerNameRegistry>\n    <certificateValidation certificateValidationMode="None" />\n  </service>\n</microsoft.identityModel>\n\n<system.serviceModel>\n  <services>\n    <service name="Service.QuoteService">\n      <endpoint address=""\n                binding="ws2007FederationHttpBinding"\n                contract="Service.IQuoteService" />\n      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />\n    </service>\n  </services>\n  <bindings>\n    <ws2007FederationHttpBinding>\n      <binding>\n        <security mode="TransportWithMessageCredential">\n          <message establishSecurityContext="false">\n            <issuerMetadata address="https://myADFSserver/adfs/services/trust/mex" />\n          </message>\n        </security>\n      </binding>\n    </ws2007FederationHttpBinding>\n  </bindings>\n\n  <behaviors>\n    <serviceBehaviors>\n      <behavior>\n        <serviceMetadata httpsGetEnabled="true" />\n        <federatedServiceHostConfiguration />\n      </behavior>\n    </serviceBehaviors>\n  </behaviors>\n\n  <extensions>\n    <behaviorExtensions>\n      <add name="federatedServiceHostConfiguration"\n           type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>\n    </behaviorExtensions>\n  </extensions>\n</system.serviceModel>\n

\n\n

我\xe2\x80\x99m不再在客户端上使用WCF配置，它\xe2\x80\x99s全部在代码中完成。

\n\n

这里\xe2\x80\x99是客户端代码：

\n\n

public QuoteServiceClient()\n{\n    SecurityToken actAsToken = this.GetDelegatedTokenUsername();\n    var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);\n    binding.Security.Message.EstablishSecurityContext = false;\n\n    ChannelFactory<IQuoteServiceChannel> factory = \n                    new ChannelFactory<IQuoteServiceChannel>(binding, new EndpointAddress(svcEndpoint));\n    factory.ConfigureChannelFactory<IQuoteServiceChannel>();\n    factory.Credentials.SupportInteractive = false;\n\n    this.channel = factory.CreateChannelWithIssuedToken<IQuoteServiceChannel>(actAsToken);\n}\n\nprivate SecurityToken GetDelegatedTokenUsername()\n{\n    var binding = new UserNameWSTrustBinding();\n    binding.SecurityMode = SecurityMode.TransportWithMessageCredential;\n\n    //UserNameMixed is this endpoint "/adfs/services/trust/13/usernamemixed"\n    WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(UserNameMixed));\n    trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;\n\n    trustChannelFactory.Credentials.SupportInteractive = false;\n    //Some User Account\n    //It\'s used to access the ADFS Server\n    //Act as is the actual Identity that Will be used.\n    //If you use one of windows bindings (ex. windowstransport), you wont need this.\n    //The AppPool identity will be used then.\n    trustChannelFactory.Credentials.UserName.UserName = @"domain\\username";\n    trustChannelFactory.Credentials.UserName.Password = "password";\n\n    try\n    {\n        RequestSecurityToken rst = new RequestSecurityToken();\n        rst.RequestType = WSTrust13Constants.RequestTypes.Issue;\n        rst.AppliesTo = new EndpointAddress(ServiceAppliesTo);\n\n        //This part will give you identity of logged in user\n        rst.ActAs = new SecurityTokenElement(this.GetBootStrapToken());\n\n        var channel = trustChannelFactory.CreateChannel();\n        RequestSecurityTokenResponse rstr = null;\n        SecurityToken delegatedToken = channel.Issue(rst, out rstr);\n\n        return delegatedToken;\n    }\n    catch (Exception ex)\n    {\n        throw new Exception(ex.Message, ex);\n    }\n    finally\n    {\n        try\n        {\n            if (trustChannelFactory.State == CommunicationState.Faulted)\n            {\n                trustChannelFactory.Abort();\n            }\n            else\n            {\n                trustChannelFactory.Close();\n            }\n        }\n        catch (Exception)\n        { }\n    }\n}\n\nprivate SecurityToken GetBootStrapToken()\n{\n    ClaimsPrincipal myClaimsPrincipal = System.Web.HttpContext.Current.User as ClaimsPrincipal;\n    SecurityToken bootstrapToken = myClaimsPrincipal.Identities[0].BootstrapToken;\n\n    if (bootstrapToken == null)\n    {\n        throw new Exception("bootstrap tokein is null. Logout and try again.");\n    }\n    return bootstrapToken;\n}\n

\n\n

这一切都很好，但您不会对后端 WCF 服务有适当的声明。使用这篇精彩的文章，我能够整理 ADFS 中的索赔内容： http: //technet.microsoft.com/en-us/library/adfs2-identity-delegation-step-by-step-guide.aspx。向下滚动到 CONTOSODC 上的启用身份委托和修复声明发布规则。我还从被动联合网站中删除了声明加密。

\n\n

执行此操作后，我在应用程序服务和后端 WCF 服务中具有相同的声明。

\n\n

我希望这可以帮助那些和我处境相同的人。

\n