问题描述
感谢拉夫Mantri在C#中回答我的问题,前面。
Thanks to Gaurav Mantri for answering my earlier question Azure ACS Set Up in C#.
但可有人向我解释,下面一行是怎样的固定
However can someone explains to me, how the following line is secured?
if (!ClaimsPrincipal.Current.Identity.IsAuthenticated)
在ACS架构客户端是一个方便的中间人的,他可能会失败登录电子进入Facebook的,比如,这被转发到ACS(我假设这部分被固定)但现在ACS是告诉客户端回去有关失败的依赖方。
The client in the ACS schema is conveniently a man in the middle, he might fail loging into Facebook, for example and this gets relayed to ACS (I'm assuming this portion is secured), but now ACS is telling the client to go back to the relying party about the failure.
这怎么最后部分担保?从什么篡改ACS消息失败到成功停止客户端?如何将Asp.Net甚至知道如何验证签名和解密消息?
How is that last part secured? What stops the client from tampering the ACS message "Fail" to "Success"? How would Asp.Net even knows how to verify signature and decrypt the message?
有关此事的 的是它使用加密/签名的消息交换的关键是什么?而如何将在webfarm / Azure的环境下工作?
For that matter what key was it using to encrypt/sign the message exchange? And how would that work in a webfarm/Azure environment?
推荐答案
您指定将用于消息交换的关键。
You specify the key which will be used for message exchange.
当您在管理门户配置的Azure ACS,可以指定将用于签名令牌(证书和密钥卡)私钥。
When you configure Azure ACS in the management portal, you specify private key which will be used to sign tokens(Certificates and Keys tab).
当您配置Web应用程序使用Azure的ACS,参照证书来验证签名加入到web.config中:
When you configure web application to use Azure ACS, reference to the certificate to validate signature is added to web.config:
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://xxxxx.accesscontrol.windows.net/">
<keys>
<add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
</keys>
<validIssuers>
<add name="https://xxxxx.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
更新
<RequestSecurityTokenResponse>
<Lifetime>
<Created>2013-06-19T06:15:16.618Z</Created>
<Expires>2013-06-19T07:15:16.618Z</Expires>
</Lifetime>
<AppliesTo>
<EndpointReference>
<Address>http://xxx.cloudapp.net/</Address>
</EndpointReference>
</AppliesTo>
<RequestedSecurityToken>
<Assertion ID="xxx" IssueInstant="2013-06-19T06:15:16.636Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://xxx.accesscontrol.windows.net/</Issuer>
<Signature>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="xxx">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>xxx</ds:DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxx</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>xxx</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>iiiii</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-06-19T06:15:16.618Z" NotOnOrAfter="2013-06-19T07:15:16.618Z">
<AudienceRestriction><Audience>http://xxx.cloudapp.net/</Audience></AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>aaa</AttributeValue></Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-06-19T06:15:15.999Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
这篇关于Azure的ACS认证是如何得到保护?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!