0

Azure ACS で動作するように WCF を構成しようとしています。この WCF 構成には 2 つのバグがあります。

  1. MEX エンドポイントは公開しません。
  2. カスタム動作拡張は呼び出されません。(覚えていない変更を加えた後、それをやめました)

ここで何が間違っている可能性がありますか?

<configuration>
  <configSections>
    <section name="microsoft.identityModel"
             type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </assemblies>
    </compilation>
  </system.web>
  <system.serviceModel>
    <services>
      <service name="production" behaviorConfiguration="AccessServiceBehavior">
        <endpoint contract="IMetadataExchange"
                  binding="mexHttpsBinding"
                  address="mex" />
        <endpoint address=""
                  binding="customBinding"
                  contract="Samples.RoleBasedAccessControl.Service.IService1"
                  bindingConfiguration="serviceBinding" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="AccessServiceBehavior">
          <federatedServiceHostConfiguration />
          <sessionExtension/>
          <useRequestHeadersForMetadataAddress>
            <defaultPorts>
              <add scheme="http" port="8000" />
              <add scheme="https" port="8443" />
            </defaultPorts>
          </useRequestHeadersForMetadataAddress>
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpsGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <!--Certificate added by FedUtil.  Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.-->
            <serviceCertificate findValue="XXXXXXXXXXXXXXX" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <extensions>
      <behaviorExtensions>
        <add name="sessionExtension"
             type="Samples.RoleBasedAccessControl.Service.RsaSessionServiceBehaviorExtension, Samples.RoleBasedAccessControl.Service, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        <add name="federatedServiceHostConfiguration"
             type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </behaviorExtensions>
    </extensions>
    <protocolMapping>
      <add scheme="http" binding="customBinding" bindingConfiguration="serviceBinding" />
      <add scheme="https" binding="customBinding" bindingConfiguration="serviceBinding"/>
    </protocolMapping>
    <bindings>
      <customBinding>
        <binding name="serviceBinding">
          <security authenticationMode="SecureConversation"
          messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
          requireSecurityContextCancellation="false">
            <secureConversationBootstrap
              authenticationMode="IssuedTokenOverTransport"
              messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
              <issuedTokenParameters>
                <additionalRequestParameters>
                  <AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
                    <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                      <Address>https://127.0.0.1:81/</Address>
                    </EndpointReference>
                  </AppliesTo>
                </additionalRequestParameters>
                <claimTypeRequirements>
                  <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                  <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
                  <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" />
                  <add claimType="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" isOptional="true" />
                </claimTypeRequirements>
                <issuerMetadata address="https://XXXXYYYY.accesscontrol.windows.net/v2/wstrust/mex" />
              </issuedTokenParameters>
            </secureConversationBootstrap>
          </security>
          <httpsTransport />
        </binding>
      </customBinding>
    </bindings>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
  </system.webServer>
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="http://127.0.0.1:81/" />
      </audienceUris>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="THUMBPRINT HERE" name="https://XXXYYYY.accesscontrol.windows.net/" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
  <appSettings>
    <add key="FederationMetadataLocation" value="https://XXXYYYY.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml " />
  </appSettings>
</configuration>

編集:実装の詳細については、次の動作拡張要素があります(現在は呼び出されていません)

 public class RsaSessionServiceBehaviorExtension : BehaviorExtensionElement
{
    public override Type BehaviorType
    {
        get
        {
            return typeof(RsaSessionServiceBehavior);
        }
    }
    protected override object CreateBehavior()
    {
        return new RsaSessionServiceBehavior();
    }
}

名前空間とアセンブリは構成で正しいです。トークンの検証を確認するためのコードは他にもありますが、私の意見では、少なくとも MEX を公開し、さらに先に進むには CreateBehavior() を呼び出す必要があります。

4

0 に答える 0