问题描述

基于WIF的WCF服务需要调用方法，或放置等效的，即可正常工作。这是服务级别的设置，换句话说，它适用于所有端点。

A WIF-based WCF service needs to call method FederatedServiceCredentials.ConfigureServiceHost(), or put the equivalent element <federatedServiceHostConfiguration> in the web.config file, to work. This is a setting on the service level, in other words it applies for all endpoints.

根据方法文档， ServiceHostBase 实例以几种特定于WIF的方式进行了修改。例如，授权被基于WIF的授权类代替。

According to the method documentation, the ServiceHostBase instance is modified in several WIF-specific ways. For example, the authorization is replaced by a WIF-based authorization class.

现在，我想拥有一个< service> （在< system.serviceModel>< services> 内部）具有多个< endpoint> ，其中一个端点是基于WIF的，而其他端点则使用普通的Windows身份验证。

Now I'd like to have a single <service> (inside <system.serviceModel><services>) with multiple <endpoint>s, where one endpoint is WIF-based, and the others are using plain Windows authentication.

因此，基本上，我们希望能够在没有AD FS的情况下进行安装，以降低进入应用程序的障碍。

So basically we want to be able to install without AD FS to lower the barrier to entry of our application.

为此，< service> 需要一个< federatedServiceHostConfiguration> 。但是-这是我的问题-这也会影响同一服务的非WIF端点：例如，它们突然使用WIF授权管理器（）。

To do this, the <service> needs a <federatedServiceHostConfiguration>. However -- and here is my problem -- this affects also the non-WIF endpoints for that same service: for example, they suddenly use the WIF authorization manager (an instance of class ClaimsAuthorizationManager).

所以我的问题是：在单个WCF < service> 中将WIF和非WIF端点混合的推荐方法是什么？ ？

So my question is: what is the recommended way to mix WIF and non-WIF endpoints in a single WCF <service>?

推荐答案

我认为您不能。但是，根据您的情况，您应该只让一个WIF端点将多凭证支持留给STS。

I don't think you can. In your situation though, you should only have the one WIF endpoint have leave the multiple credential support to the STS.

您可以在STS上放置多个端点，以处理不同类型的身份验证。一个用于Windows，一个用于用户名/密码。

You can put multiple endpoints on your STS to handle different types of authentication. One for Windows, one for username/password for example.

我去年进行了一次代码露营盎司会议，就证明了这一点。来源附在我的博客文章中，网址为。看看 NotAWif Demo\4-身份委托\NotAWif.DelegationSTS 中的web.config。

I did a code camp oz session last year that demonstrated this. The source is attached to my blog post at http://www.neovolve.com/post/2010/11/21/CodeCampOz-Not-a-WIF-of-federation.aspx. Have a look at the web.config in NotAWif Demo\4 - Identity Delegation\NotAWif.DelegationSTS.

<system.serviceModel>
  <services>
    <service behaviorConfiguration="ServiceBehavior"
                    name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract">

      <endpoint address="UserName/IWSTrust13"
                        binding="ws2007HttpBinding"
                        bindingConfiguration="ws2007HttpBindingUserNameConfiguration"
                        contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

      <endpoint address="Windows/IWSTrust13"
                binding="ws2007HttpBinding"
                bindingConfiguration="ws2007HttpBindingWindowsConfiguration"
                contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

      <endpoint address="mex"
                        binding="mexHttpsBinding"
                        contract="IMetadataExchange" />
      <host>
        <baseAddresses>
          <add baseAddress="https://localhost/NotAWif.DelegationSTS/Service.svc" />
        </baseAddresses>
      </host>
    </service>
  </services>
  <bindings>
    <ws2007HttpBinding>
      <binding name="ws2007HttpBindingUserNameConfiguration">
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None">
            <extendedProtectionPolicy policyEnforcement="Never" />
          </transport>
          <message clientCredentialType="UserName"
                                establishSecurityContext="false" />
        </security>
      </binding>
      <binding name="ws2007HttpBindingWindowsConfiguration">
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None">
            <extendedProtectionPolicy policyEnforcement="Never" />
          </transport>
          <message clientCredentialType="Windows"
                                establishSecurityContext="false" />
        </security>
      </binding>
    </ws2007HttpBinding>
  </bindings>
  <behaviors>
    <serviceBehaviors>
      <behavior name="ServiceBehavior">
        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="false" />
        <serviceCredentials>
          <serviceCertificate findValue="DefaultApplicationCertificate"
                                          x509FindType="FindBySubjectName" />
        </serviceCredentials>
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

这是我配置STS以支持多种身份验证的方式。 RP应该只处理版权声明，而不应该处理Claims | WindowsIdentity。 STS负责将特定类型的身份验证转换为RP将使用的一组声明。

This is how I configured the STS to support multiple types of authentication. The RP should only deal in claims, not claims|WindowsIdentity. It is the STS's responsibility to convert a particular type of authentication into a set of claims that the RP will use.

这篇关于如何在单个WCF< service>中混合WIF和非WIF端点？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！