Я реализовал решение на c #, которое содержит пользовательские STS, службы WCF и простое консольное приложение для взаимодействия с бот-серверами.
STS выполняет аутентификацию на основе имени пользователя и пароля. Там есть web.config:
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<appSettings>
<add key="IssuerName" value="SecurityTokenService" />
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value="CN=STSTestCert"/>
</appSettings>
<system.serviceModel>
<services>
<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="ServiceBehavior">
<endpoint address="Username/IWSTrust13" binding="ws2007HttpBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" bindingConfiguration="ws2007HttpBindingConfiguration"/>
<host>
<baseAddresses>
<add baseAddress="http://localhost:9090/Service.svc"/>
</baseAddresses>
</host>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<ws2007HttpBinding>
<binding name="ws2007HttpBindingConfiguration">
<security mode="Message">
<transport clientCredentialType ="None">
<extendedProtectionPolicy policyEnforcement="Never"/>
</transport>
<message clientCredentialType="UserName" establishSecurityContext="false"/>
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceCredentials>
<serviceCertificate x509FindType="FindBySubjectName" findValue="STSTestCert" storeLocation="LocalMachine" storeName="My" />
<issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
<clientCertificate>
<authentication certificateValidationMode="None"/>
</clientCertificate>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<microsoft.identityModel>
<service>
<securityTokenHandlers>
<remove type="Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add type="SecurityTokenService.CustomUserNamePasswordTokenHandler" />
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<audienceUris>
<add value="http://localhost:1996/STSService.svc"/>
</audienceUris>
</service>
</microsoft.identityModel>
</configuration>
После этого я добавил ссылку на STS для двух веб-служб в моей службе WCf. Там есть web.config:
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<appSettings>
<add key="FederationMetadataLocation" value="http://localhost:1996/FederationMetadata/2007-06/FederationMetadata.xml" />
</appSettings>
<connectionStrings />
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<authentication mode="Windows" />
<pages>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</controls>
</pages>
</system.web>
<system.web.extensions>
<scripting>
<webServices>
</webServices>
</scripting>
</system.web.extensions>
<system.serviceModel>
<services>
<service name="ClaimsAwareService.Service" behaviorConfiguration="ClaimsAwareService.ServiceBehavior">
<endpoint address="http://localhost:2059/ClaimsAwareService/Service.svc" binding="ws2007FederationHttpBinding" contract="ClaimsAwareService.IService" bindingConfiguration="ClaimsAwareService.IService_ws2007FederationHttpBinding" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
<service name="ClaimsAwareService.ServiceTest" behaviorConfiguration="ClaimsAwareService.ServiceTestBehavior">
<endpoint address="http://localhost:2059/ClaimsAwareService/ServiceTest.svc" binding="ws2007FederationHttpBinding" contract="ClaimsAwareService.IServiceTest" bindingConfiguration="ClaimsAwareService.IServiceTest_ws2007FederationHttpBinding" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ClaimsAwareService.ServiceBehavior">
<federatedServiceHostConfiguration name="ClaimsAwareService.Service" />
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="AD4437492F905F0C462C099F814F99C7AD38F3F5" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
<behavior name="ClaimsAwareService.ServiceTestBehavior">
<federatedServiceHostConfiguration name="ClaimsAwareService.ServiceTest" />
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="AD4437492F905F0C462C099F814F99C7AD38F3F5" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</behaviorExtensions>
</extensions>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ClaimsAwareService.IService_ws2007FederationHttpBinding">
<security mode="Message">
<message>
<issuerMetadata address="http://localhost:1996/Service.svc/mex" />
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
</message>
</security>
</binding>
<binding name="ClaimsAwareService.IServiceTest_ws2007FederationHttpBinding">
<security mode="Message">
<message>
<issuerMetadata address="http://localhost:1996/Service.svc/mex" />
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
</system.serviceModel>
<microsoft.identityModel>
<service name="ClaimsAwareService.Service">
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:1996/STS/" realm="http://localhost:2059/ClaimsAwareService/Service" requireHttps="false" />
</federatedAuthentication>
<audienceUris>
<add value="http://localhost:2059/ClaimsAwareService/Service.svc" />
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="AD4437492F905F0C462C099F814F99C7AD38F3F5" name="http://localhost:1996/Service.svc" />
</trustedIssuers>
</issuerNameRegistry>
</service>
<service name="ClaimsAwareService.ServiceTest">
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:1996/STS/" realm="http://localhost:2059/ClaimsAwareService/ServiceTest" requireHttps="false" />
</federatedAuthentication>
<audienceUris>
<add value="http://localhost:2059/ClaimsAwareService/ServiceTest.svc" />
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="AD4437492F905F0C462C099F814F99C7AD38F3F5" name="http://localhost:1996/Service.svc" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
</configuration>
Наконец, я добавил Service и ServiceTest в качестве ссылки на службу в мое консольное приложение. Сервис был добавлен без проблем, и все работает нормально, но когда я добавил ServiceTest, я не вижу конечной точки для этого сервиса в app.config. Вот мой app.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<ws2007FederationHttpBinding>
<binding name="WS2007FederationHttpBinding_IService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message algorithmSuite="Default" issuedKeyType="SymmetricKey"
negotiateServiceCredential="true">
<issuer address="http://localhost:1996/Service.svc/Username/IWSTrust13"
binding="ws2007HttpBinding" bindingConfiguration="http://localhost:1996/Service.svc/Username/IWSTrust13">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAArUQ3SS+QXwxGLAmfgU+Zx6048/UgAAAAAQAAAOgCAAAwggLkMIIBzKADAgECAhA3U0RwmaYcvENVelL9IMxBMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNVBAMTC1NUU1Rlc3RDZXJ0MB4XDTExMTIyMTE2NTU0MloXDTEyMTIyMDIyNTU0MlowFjEUMBIGA1UEAxMLU1RTVGVzdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu2TXGBpKsTmasogT3ANb/PxGkMwQYVS7J7qLeANEmRjvdmozVmy+BMz7Sktw5LpeH+7rpiWWIT1e+BE5RFzyfSmB2CAnsqDrbRO3snzxEYKn4RZAF29YYkhaxx2xPaczGn4M4jceGImV2apsS8NSP6PXY5/9ZZHlWWcvbltz5c76+EbNqeihVh4FH3Nyql7h5kv/lD8Zmn3SBhRe/w3PhOAieT57RXL3OeIIxK/xVLe0+S/DPWLSy6FuejuiYY/ZoVVau3uCTh2Fr5o7/e9cbn4c85XnHZas4osEBoGgfbxKbvEDofbEwVr9g/oyfFA/lxLlqA4Mkn6Qi/+qCicCDAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUfJL72ZCFE8JZK3Xpk5ToMJq6N9swDQYJKoZIhvcNAQEFBQADggEBAIV4Cgtk4OtUXNTzKqsebA2BUyEbNNTo5cgDqBH7be6AChKaPMEK/PuV+Potv0iDQq1ONnKXgD76V63Lu5KQHLd+UoFrL8LMixWJhNR3scqKYNSjwlhcL/7DxwBGil1hnTralTehsWIV4JlMF9gkcwzMu1gzlYRJe8BAFmEs+zJwdSSU4VPy/sQPcDZ2U7MErMctghIPpRlTCSS2Jn/+fzRdr2e6Dy5cbghlndr0Bj0q5edLqlA5C5OwitLljtCQPRQwZTqvhlQU1h3EXMOMPoqT32pIvdC2g8TzPZz+eW51DXUTfAunnfNeddQvoKBTxbWkqeGNchQb+duGT5MeR1k=" />
</identity>
</issuer>
<issuerMetadata address="http://localhost:1996/Service.svc/mex" />
<tokenRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
</trust:Claims>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="http://localhost:1996/Service.svc/Username/IWSTrust13"
closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:2059/ClaimsAwareService/Service.svc"
binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IService"
contract="ServiceReference.IService" name="WS2007FederationHttpBinding_IService">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAArUQ3SS+QXwxGLAmfgU+Zx6048/UgAAAAAQAAAOgCAAAwggLkMIIBzKADAgECAhA3U0RwmaYcvENVelL9IMxBMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNVBAMTC1NUU1Rlc3RDZXJ0MB4XDTExMTIyMTE2NTU0MloXDTEyMTIyMDIyNTU0MlowFjEUMBIGA1UEAxMLU1RTVGVzdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu2TXGBpKsTmasogT3ANb/PxGkMwQYVS7J7qLeANEmRjvdmozVmy+BMz7Sktw5LpeH+7rpiWWIT1e+BE5RFzyfSmB2CAnsqDrbRO3snzxEYKn4RZAF29YYkhaxx2xPaczGn4M4jceGImV2apsS8NSP6PXY5/9ZZHlWWcvbltz5c76+EbNqeihVh4FH3Nyql7h5kv/lD8Zmn3SBhRe/w3PhOAieT57RXL3OeIIxK/xVLe0+S/DPWLSy6FuejuiYY/ZoVVau3uCTh2Fr5o7/e9cbn4c85XnHZas4osEBoGgfbxKbvEDofbEwVr9g/oyfFA/lxLlqA4Mkn6Qi/+qCicCDAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUfJL72ZCFE8JZK3Xpk5ToMJq6N9swDQYJKoZIhvcNAQEFBQADggEBAIV4Cgtk4OtUXNTzKqsebA2BUyEbNNTo5cgDqBH7be6AChKaPMEK/PuV+Potv0iDQq1ONnKXgD76V63Lu5KQHLd+UoFrL8LMixWJhNR3scqKYNSjwlhcL/7DxwBGil1hnTralTehsWIV4JlMF9gkcwzMu1gzlYRJe8BAFmEs+zJwdSSU4VPy/sQPcDZ2U7MErMctghIPpRlTCSS2Jn/+fzRdr2e6Dy5cbghlndr0Bj0q5edLqlA5C5OwitLljtCQPRQwZTqvhlQU1h3EXMOMPoqT32pIvdC2g8TzPZz+eW51DXUTfAunnfNeddQvoKBTxbWkqeGNchQb+duGT5MeR1k=" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Мой вопрос: почему мой конечный пункт ServiceTest не генерируется прокси Http? Это я что-то упустил в отношении конфигурации моего сервера STS и / или WCF?