none
WIF的一个问题 RRS feed

  • 问题

  • 目前遇到这样一个问题。使用基于声明的单点验证方式。
    目前已经搭建好STS服务,以及测试所用的依赖方RP
    访问依赖方后,会自动跳转到STS申请令牌,在STS申请成功令牌后,返回RP依赖方,但RP依赖方持有的私钥无法解密令牌中的公钥
    STS网站中的FederationMeta.xml和web.config中已经正确配置了STS所需的信息,包括x509证书的公钥,经过Fidder截取了HTTP请求中的令牌后发现,该SAML令牌中的公钥就是FederationMeta配置的公钥

    依赖方RP中的Web.Config也正确配置了证书的私钥,目前我猜想由于配置的公钥是来自.Net中keyinfo中rawdata的信息,是否该信息不正确?

    PS:X509证书在STS服务上的FederationMeta.xml配置的信息大概如下:

    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <X509Data>
            <X509Certificate>MIIFdzCCBF+gAwIBAgITEwAAAAYUJsNvbVwqzAAAAAAABjANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPyLGQBGRYDbmV0MRMwEQYKCZImiZPyLGQBGRYDdWVwMR8wHQYDVQQDExZ1ZXAtV0lOLTlPQjNWSTVKQU1RLUNBMB4XDTEzMTAxNDA3Mjc1NFoXDTE1MTAxNDA3Mjc1NFowgYAxCzAJBgNVBAYTAkNOMRUwEwYDVQQIEwxzdHMxLnVlcC5uZXQxFTATBgNVBAcTDHN0czEudWVwLm5ldDEVMBMGA1UEChMMc3RzMS51ZXAubmV0MRUwEwYDVQQLEwxzdHMxLnVlcC5uZXQxFTATBgNVBAMTDHN0czEudWVwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtL8TlheJzaLNO/siyU6F/XpZIzvexBOOJ2KELimjOUryo5TfNqmBKoJjbdFujJNTfIRMVdQtgGkSlGVtwR72Li3MSSoAnGwpKFo2j4esMQ2Rw7UCK2GI0lWRgxnrulJj/gAETZwNZP7EC8KZdFbzQifUZ0SkIInKGBs7TD/oLXsCAwEAAaOCAqAwggKcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQ3I3C7PMdXmu+Ey9KAuStul0NLszAfBgNVHSMEGDAWgBQ7WYeikvU2aVvLubUPPk16lzo/PzCB1AYDVR0fBIHMMIHJMIHGoIHDoIHAhoG9bGRhcDovLy9DTj11ZXAtV0lOLTlPQjNWSTVKQU1RLUNBLENOPVdJTi05T0IzVkk1SkFNUSxDTj1DRFAsQ049UHVibGljIEtleSBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXVlcCxEQz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHABggrBgEFBQcBAQSBszCBsDCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NOPXVlcC1XSU4tOU9CM1ZJNUpBTVEtQ0EsQ049QUlBLENOPVB1YmxpYyBLZXkgU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11ZXAsREM9bmV0P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJKoZIhvcNAQEFBQADggEBAHSUGkZYdyX0tHdCcQGdRa2p/MiKaHiJiEC2nZj+U/i+++WI2WdLpxeFkjfzarfL9OZciiRLHxErNZzscu13QpZ7j0qrWh/PcfJDoJ/wNDtcplGqpjhbfMM4jGocGcIxqUK9Uv3qXsuMTMAuVQqTvN7bXvnsrffGbDkYaYK988fA78LyKRE69mUVe/RGDXWRjhbu8W93CN9QGInPZg/rvWP/WBhwTvLDyHnzUnmYI4rnwLYlLYi5hPY/x4Vxj5gfAd8ihGxv2LsXOxc4J4ixmjD17DGStGXiJ/P0Z+MFJIQNW/74BG/cJWCHqNASoxzMIP1KlRdR5QF/N3r0nvHp2Vc=</X509Certificate>
          </X509Data>
        </KeyInfo>
      </ds:Signature>

    这个<X509Data><X509Certificate>中的这个串是如何获得的呢?我目前使用keydescription中的keyinfo获得的,但是私钥无法验证。

    2013年10月18日 8:15

答案