Azure ACS で動作するように WCF を構成しようとしています。この WCF 構成には 2 つのバグがあります。
- MEX エンドポイントは公開しません。
- カスタム動作拡張は呼び出されません。(覚えていない変更を加えた後、それをやめました)
ここで何が間違っている可能性がありますか?
<configuration>
<configSections>
<section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
</system.web>
<system.serviceModel>
<services>
<service name="production" behaviorConfiguration="AccessServiceBehavior">
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding"
address="mex" />
<endpoint address=""
binding="customBinding"
contract="Samples.RoleBasedAccessControl.Service.IService1"
bindingConfiguration="serviceBinding" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AccessServiceBehavior">
<federatedServiceHostConfiguration />
<sessionExtension/>
<useRequestHeadersForMetadataAddress>
<defaultPorts>
<add scheme="http" port="8000" />
<add scheme="https" port="8443" />
</defaultPorts>
</useRequestHeadersForMetadataAddress>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<!--Certificate added by FedUtil. Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.-->
<serviceCertificate findValue="XXXXXXXXXXXXXXX" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<extensions>
<behaviorExtensions>
<add name="sessionExtension"
type="Samples.RoleBasedAccessControl.Service.RsaSessionServiceBehaviorExtension, Samples.RoleBasedAccessControl.Service, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<add name="federatedServiceHostConfiguration"
type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http" binding="customBinding" bindingConfiguration="serviceBinding" />
<add scheme="https" binding="customBinding" bindingConfiguration="serviceBinding"/>
</protocolMapping>
<bindings>
<customBinding>
<binding name="serviceBinding">
<security authenticationMode="SecureConversation"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap
authenticationMode="IssuedTokenOverTransport"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters>
<additionalRequestParameters>
<AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://127.0.0.1:81/</Address>
</EndpointReference>
</AppliesTo>
</additionalRequestParameters>
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" />
<add claimType="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" isOptional="true" />
</claimTypeRequirements>
<issuerMetadata address="https://XXXXYYYY.accesscontrol.windows.net/v2/wstrust/mex" />
</issuedTokenParameters>
</secureConversationBootstrap>
</security>
<httpsTransport />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://127.0.0.1:81/" />
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="THUMBPRINT HERE" name="https://XXXYYYY.accesscontrol.windows.net/" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</service>
</microsoft.identityModel>
<appSettings>
<add key="FederationMetadataLocation" value="https://XXXYYYY.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml " />
</appSettings>
</configuration>
編集:実装の詳細については、次の動作拡張要素があります(現在は呼び出されていません)
public class RsaSessionServiceBehaviorExtension : BehaviorExtensionElement
{
public override Type BehaviorType
{
get
{
return typeof(RsaSessionServiceBehavior);
}
}
protected override object CreateBehavior()
{
return new RsaSessionServiceBehavior();
}
}
名前空間とアセンブリは構成で正しいです。トークンの検証を確認するためのコードは他にもありますが、私の意見では、少なくとも MEX を公開し、さらに先に進むには CreateBehavior() を呼び出す必要があります。