通过WCF使用客户端证书凭据从ACS获取令牌是一种很好的支持方案。
有一个ACS示例可以执行WCF客户端证书身份验证here,查找Acs2CertificateBindingSample。兴趣点是如何创建一个获得来自ACS令牌的绑定:
public static Binding CreateServiceBinding(string acsCertificateEndpoint)
{
return new IssuedTokenWSTrustBinding(CreateAcsCertificateBinding(), new EndpointAddress(acsCertificateEndpoint));
}
public static Binding CreateAcsCertificateBinding()
{
return new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);
}
,以及如何创建使用此绑定,以及如何指定客户端证书凭据通道工厂:
ChannelFactory<IStringService> stringServiceFactory = new ChannelFactory<IStringService>(Bindings.CreateServiceBinding(acsCertificateEndpoint), serviceEndpointAddress);
// Set the service credentials and disable certificate validation to work with sample certificates
stringServiceFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
stringServiceFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();
// Set the client credentials.
stringServiceFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();
该示例不使用服务总线,只是一个简单的“IStringService”接口,但如果将NetTcpRelayBinding并入绑定组合中,则相同的机制应适用于您的方案。