开发者

When trying to deserialize SAML tokens, can I read an SSL Cert from file instead of Certificate store

I would like to something like this:

<microsoft.identityModel>
    <service>
      <serviceCertificate>
        <certificate开发者_JAVA百科Reference filename="App_Data/my.domain.com.crt" />
      </serviceCertificate>
    </service>
</microsoft.identityModel>


According to the Documentation, no. To decrypt a SAML token, WIF needs access to a certificate's private key. By placing the certificate and it's private key on the filesystem (especially under a folder managed by IIS - regardless of the protections offered) is generally a Bad Idea(tm). By placing the cert in the certificate store, you can much more tightly control and manage access to the certificate.


You can, but as Bobby suggests you are better off with the cert being installed on the mahcine store. In fact, this was a workaround when deploying applications using WIF on Windows Azure when it didn't support uploding certificates. That limitation is long gone.


I figured it out. Comment out this part in web.config

  <!--<serviceCertificate>
    <certificateReference x509FindType="FindByThumbprint" findValue="" storeLocation="LocalMachine" storeName="My" />
  </serviceCertificate>-->

Add this code to global.asax

    protected void Application_Start()
    {
        Microsoft.IdentityModel.Web.FederatedAuthentication.ServiceConfigurationCreated += new EventHandler
            <Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs>(AttachCert);
    }

    protected void AttachCert(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
    {
        var filename = string.Format("{0}\\{1}\\{2}", System.Web.Hosting.HostingEnvironment.ApplicationPhysicalPath, "App_Data\\certificates", "CERTNAME.pfx");
        var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(filename, "YOURPASSWORD");

        var _configuration = e.ServiceConfiguration;
        _configuration.ServiceCertificate = cert;

        var certificates = new List<System.IdentityModel.Tokens.SecurityToken> { new System.IdentityModel.Tokens.X509SecurityToken(
                _configuration.ServiceCertificate) };

        var encryptedSecurityTokenHandler =
                (from handler in _configuration.SecurityTokenHandlers
                 where handler is Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler
                 select handler).First() as Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler;

        _configuration.ServiceTokenResolver = encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
                System.IdentityModel.Selectors.SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
    }
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜