我试图解密从基于Java的身份提供者发出的加密的SAML 2.0声明。使用.NET 4.5(System.IdentityModel)解密SAML 2断言/ WIF
鉴于安全令牌处理程序如下设置:
X509Certificate2 cert = ... // Contains private key
var serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(cert));
var issuers = new ConfigurationBasedIssuerNameRegistry();
issuers.AddTrustedIssuer("...thumbprint...", "nottherealname");
var configuration = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
IssuerNameRegistry = issuers,
MaxClockSkew = TimeSpan.FromMinutes(5),
ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false)
};
var tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
我得到一个加密的SAML断言像这样:
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<xenc:CipherData>
<xenc:CipherValue>Fwhv/zEVi3eQvQN372L1S+pVDM5JKs1Kc2I25djuiOPdwKReCXRhnd5QL4Y8wJDWZ5vAlOxHkNAZ
OwOg4NsSI8KssrygNk4fwvNdVAGMB5ytI1QTGRqG6WwP4Em+uLN3VXbqiLWA9D6uO0BwATF9HdTb
j/IMhGCxZ1ZKrKQF5OL2PHKf4DqyNa5d9CNZenhYyYghgYrhgZtQVl/VARAp9VKsM/lbkPsEU8Ty
ow4LnTlYqBnykrOEJowN5B+HXGvfhbIBHyGzdCC+WbcEbI898zy/VhZ63VyFL2GSTdDWv10IEMy5
CHom4Qruer1xpyQMrxJ6EK30HMhVppToivgoFQ==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
当我尝试读取令牌:
var tokenReader = new XmlNodeReader(xmlDoc); // XML document with root element <saml:EncryptedAssertion ....
if (!tokenHandlers.CanReadToken(tokenReader)) throw new Exception("Unreadable token");
var token = tokenHandlers.ReadToken(tokenReader);
然后我在最后一行代码上得到以下例外:
ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.
根据身份提供者,用于加密有效载荷的对称密钥用我的公钥加密。不过,它似乎无法使用X509证书中的私钥来解密密钥。这是我对错误信息的解释。难道是错误信息是错误的?还有什么可能是错的?我的配置不完整?
你可以分享你的完整代码 – 2016-12-02 16:09:24
我得到了以下错误处理属性语句时遇到。要处理加密属性,请扩展Saml2SecurityTokenHandler并重写ReadAttributeStatement。 –
2016-12-02 16:34:28