Claims Base

手動設定WIF

首先引用System.IdentityModel和System.IdentityModel.Service這兩個元件[![](http://1.bp.blogspot.com/-JeEQBHGiBCA/Uy-gIfqaWrI/AAAAAAAABHg/CKFEhn8Di6I/s1600/01.add+component.png)](http://1.bp.blogspot.com/-JeEQBHGiBCA/Uy-gIfqaWrI/AAAAAAAABHg/CKFEhn8Di6I/s1600/01.add+component.png) 再來到web.config加入幾個設定 先加入這兩個元件的configSection <configSections> <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" /> <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" /> </configSections> 再來在System.Web區段中,把網站的驗證模組設定None和不允許匿名登入 <system.web> <authentication mode="None" /> <authorization> <deny users="?" /> </authorization> <compilation debug="true" targetFramework="4.5"/> <httpRuntime targetFramework="4.5"/> </system.web> 再來在System.webServer區段中,啟用兩個HttpModule <system.webServer> <modules> <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" /> <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" /> </modules> </system.webServer> 最後加入WIF的設定 <system.identityModel> <identityConfiguration> <audienceUris> <add value="http://localhost:12345/" /> </audienceUris> <securityTokenHandlers> <add type="


ADFS 2.0 使用VS2013設定Claims-Aware Application

首先新增一個Web專案 [![](http://4.bp.blogspot.com/-frB8XFpPq-M/Uv2_nlHATGI/AAAAAAAABGE/7bdvPVOlIGM/s1600/01.png)](http://4.bp.blogspot.com/-frB8XFpPq-M/Uv2_nlHATGI/AAAAAAAABGE/7bdvPVOlIGM/s1600/01.png) 這裡以MVC專案為例,選擇變更驗證 [![](http://1.bp.blogspot.com/-EQ_0_80Szks/Uv2_nuTN4XI/AAAAAAAABGU/KMEiOWyKHHs/s1600/02.png)](http://1.bp.blogspot.com/-EQ_0_80Szks/Uv2_nuTN4XI/AAAAAAAABGU/KMEiOWyKHHs/s1600/02.png) 驗證方式改成組織帳戶,登入方式改成內部部署,並輸入FederationMetadata.xml的網址和應用程式的網址,需要SSL [![](http://2.bp.blogspot.com/-WUWRhLcsXsk/Uv2_oQgw0kI/AAAAAAAABHQ/H9QJB3QEHA0/s1600/03.png)](http://2.bp.blogspot.com/-WUWRhLcsXsk/Uv2_oQgw0kI/AAAAAAAABHQ/H9QJB3QEHA0/s1600/03.png) FederationMetadata.xml的位置可在ADFS的服務>>端點找到 [![](http://1.bp.blogspot.com/-bDrc3om0kn8/Uv2_n9UMtUI/AAAAAAAABGM/VL4uWs_8kEw/s1600/03-1.png)](http://1.bp.blogspot.com/-bDrc3om0kn8/Uv2_n9UMtUI/AAAAAAAABGM/VL4uWs_8kEw/s1600/03-1.png) 驗證方式變更為組織驗證(內部部署)後,按下確定建立新專案 [![](http://2.bp.blogspot.com/-erHnn5RET2c/Uv2_oYDieJI/AAAAAAAABGc/01T-6PJBLqw/s1600/04.png)](http://2.bp.blogspot.com/-erHnn5RET2c/Uv2_oYDieJI/AAAAAAAABGc/01T-6PJBLqw/s1600/04.png) 將網站部署到IIS後,輸入該網站的網址來測試一下,因為SSL用的憑證是自已發的,所以會有警告訊息 [![](http://3.bp.blogspot.com/-zYDsYTeus3I/Uv2_ozmIA3I/AAAAAAAABGk/gDEDCuTTjHo/s1600/05.png)](http://3.bp.blogspot.com/-zYDsYTeus3I/Uv2_ozmIA3I/AAAAAAAABGk/gDEDCuTTjHo/s1600/05.png) 接下來會轉向到STS去做驗證,一樣會有SSL的警告訊息 [![](http://4.bp.blogspot.com/-SVRzTLtiLdo/Uv2_pLZkSnI/AAAAAAAABGs/zJuMX9PP9qE/s1600/06.png)](http://4.bp.blogspot.com/-SVRzTLtiLdo/Uv2_pLZkSnI/AAAAAAAABGs/zJuMX9PP9qE/s1600/06.png) 接下來預設是會跳出視窗讓你輸入帳密 [![](http://3.bp.blogspot.com/-b9N82h1FKKw/Uv2_pfF1y0I/AAAAAAAABG0/V_Df7_i5o90/s1600/07.png)](http://3.bp.blogspot.com/-b9N82h1FKKw/Uv2_pfF1y0I/AAAAAAAABG0/V_Df7_i5o90/s1600/07.png) 如果要改成登入頁面的方式,可以到adfs的web.config中去設定一下 [![](http://4.bp.blogspot.com/-pokmnOGYPjo/Uv2_qC7sxYI/AAAAAAAABHI/NDSCVtUDzKs/s1600/09.png)](http://4.bp.blogspot.com/-pokmnOGYPjo/Uv2_qC7sxYI/AAAAAAAABHI/NDSCVtUDzKs/s1600/09.png) 找到localAuthenticationTypes區段,把forms的順序換到最上面即可 如果要自訂登入頁面,就把後面的Page指定的頁面換掉即可 <microsoft.identityServer.web> <localAuthenticationTypes> <!-- 把Forms換到最上面 後面的page就是登入頁面--> <add name="Forms" page="FormsSignIn.aspx" /> <add name="Integrated" page="auth/integrated/" /> <add name="TlsClient" page="auth/sslclient/" /> <add name="Basic" page="auth/basic/" /> </localAuthenticationTypes> <commonDomainCookie writer="" reader="" /> <context hidden="true" /> <error page="Error.aspx" /> <acceptedFederationProtocols saml="true" wsFederation="true" /> <homeRealmDiscovery page="HomeRealmDiscovery.aspx" /> <persistIdentityProviderInformation enabled="true" lifetimeInDays="30" /> <singleSignOn enabled="true" /> </microsoft.identityServer.web> </configuration> 登入的方式就會變成一般的登入頁面 [!


ADFS 2.0 新增信任的信賴憑證者

接下來開始新增RP(Relying Party) [![](http://2.bp.blogspot.com/-vLPrmmAQ0U8/Uv2JXZQ1VfI/AAAAAAAABC8/eeIGdQSZH4M/s1600/01.png)](http://2.bp.blogspot.com/-vLPrmmAQ0U8/Uv2JXZQ1VfI/AAAAAAAABC8/eeIGdQSZH4M/s1600/01.png) 設定精靈的畫面 [![](http://2.bp.blogspot.com/-Mua3r26Sssg/Uv2JXWvLLVI/AAAAAAAABDI/2ge-kfXg504/s1600/02.png)](http://2.bp.blogspot.com/-Mua3r26Sssg/Uv2JXWvLLVI/AAAAAAAABDI/2ge-kfXg504/s1600/02.png) 這裡用手動輸入為例子 [![](http://3.bp.blogspot.com/-b3dHsdW6Lgc/Uv2JYmulxHI/AAAAAAAABDw/nlRPavaRvww/s1600/03.png)](http://3.bp.blogspot.com/-b3dHsdW6Lgc/Uv2JYmulxHI/AAAAAAAABDw/nlRPavaRvww/s1600/03.png) 輸入一個給人用來識別的名稱 [![](http://3.bp.blogspot.com/-ZjIYsxbZCrQ/Uv2JYNqfZgI/AAAAAAAABDM/MfI-6QVNz2Y/s1600/04.png)](http://3.bp.blogspot.com/-ZjIYsxbZCrQ/Uv2JYNqfZgI/AAAAAAAABDM/MfI-6QVNz2Y/s1600/04.png) 選擇AD FS 2.0 設定檔 [![](http://1.bp.blogspot.com/-9ilWycLTR5E/Uv2JYdrP3NI/AAAAAAAABDY/OOm8gKBttTs/s1600/05.png)](http://1.bp.blogspot.com/-9ilWycLTR5E/Uv2JYdrP3NI/AAAAAAAABDY/OOm8gKBttTs/s1600/05.png) 這裡用簡單的例子不加密所以直接下一步 [![](http://1.bp.blogspot.com/-EHbTfRL4WUk/Uv2JYx32YjI/AAAAAAAABDg/iMoh1N6aRxI/s1600/06.png)](http://1.bp.blogspot.com/-EHbTfRL4WUk/Uv2JYx32YjI/AAAAAAAABDg/iMoh1N6aRxI/s1600/06.png) 啟用 WS-Federation 被動通訊協定的支援,注意SSL和結尾的/ [![](http://2.bp.blogspot.com/-zgPv-ndCWn8/Uv2KjlZzWRI/AAAAAAAABE4/qKrCLGZ-uHo/s1600/07.png)](http://2.bp.blogspot.com/-zgPv-ndCWn8/Uv2KjlZzWRI/AAAAAAAABE4/qKrCLGZ-uHo/s1600/07.png) 這裡的識別碼是程式要看的,也就是audienceUris [![](http://2.bp.blogspot.com/-KVQ9oz9PfYM/Uv2JaIn9wnI/AAAAAAAABEQ/M04yyBNT8bU/s1600/08.png)](http://2.bp.blogspot.com/-KVQ9oz9PfYM/Uv2JaIn9wnI/AAAAAAAABEQ/M04yyBNT8bU/s1600/08.png) 允許所有使用者存取 [![](http://3.bp.blogspot.com/-lqmg6yTu6YA/Uv2JaPAqK1I/AAAAAAAABD0/xP9qJb5EQfc/s1600/09.png)](http://3.bp.blogspot.com/-lqmg6yTu6YA/Uv2JaPAqK1I/AAAAAAAABD0/xP9qJb5EQfc/s1600/09.png) 準備新增信任 [![](http://1.bp.blogspot.com/-9gtrMYiSYlY/Uv2Jaq2uxWI/AAAAAAAABD4/xppCp5yhdXk/s1600/10.png)](http://1.bp.blogspot.com/-9gtrMYiSYlY/Uv2Jaq2uxWI/AAAAAAAABD4/xppCp5yhdXk/s1600/10.png) 新增完成,接下來順便新增要轉換的資料 [![](http://1.bp.blogspot.com/-FUHvQGzfAuI/Uv2Ja7_86YI/AAAAAAAABEM/gs0YHRPEfaE/s1600/11.png)](http://1.bp.blogspot.com/-FUHvQGzfAuI/Uv2Ja7_86YI/AAAAAAAABEM/gs0YHRPEfaE/s1600/11.png) 發佈轉換規則中新增規則 [![](http://1.bp.blogspot.com/-K-Dv1xXNaoE/Uv2MIkLNe7I/AAAAAAAABFM/kOth2Ps7GgE/s1600/12.png)](http://1.bp.blogspot.com/-K-Dv1xXNaoE/Uv2MIkLNe7I/AAAAAAAABFM/kOth2Ps7GgE/s1600/12.png) 這裡以LDAP屬性為例 [![](http://1.bp.blogspot.com/-Q39atvMpEj4/Uv2JcK2Jq2I/AAAAAAAABEc/DIpVLn9xyIE/s1600/13.png)](http://1.bp.blogspot.com/-Q39atvMpEj4/Uv2JcK2Jq2I/AAAAAAAABEc/DIpVLn9xyIE/s1600/13.png) 把LDAP的屬性,轉成要傳出的宣告類型 [![](http://3.bp.blogspot.com/-UwzwR31Cm84/Uv26uGcbNCI/AAAAAAAABFo/jEdouWyYxHE/s1600/14.png)](http://3.bp.blogspot.com/-UwzwR31Cm84/Uv26uGcbNCI/AAAAAAAABFo/jEdouWyYxHE/s1600/14.png) 轉換規則設定完成 [![](http://1.bp.blogspot.com/-M6SbsGmKqCA/Uv27ST1MLuI/AAAAAAAABFw/OV4YcWFN93w/s1600/15.png)](http://1.bp.blogspot.com/-M6SbsGmKqCA/Uv27ST1MLuI/AAAAAAAABFw/OV4YcWFN93w/s1600/15.png) 到此新增RP完成 [!


ADFS 2.0 安裝與設定

Windows 2008 Server內建的ADFS是1.0版,要安裝2.0版需要手動下載安裝 安裝的過程還滿簡單的,只有幾個設定而已,開始下一步吧 [![](http://2.bp.blogspot.com/-8oaOTcFeeUM/Uv153SrSAJI/AAAAAAAABAI/_xcSqiyUb78/s1600/01.png)](http://2.bp.blogspot.com/-8oaOTcFeeUM/Uv153SrSAJI/AAAAAAAABAI/_xcSqiyUb78/s1600/01.png) 同意授權合約才可繼續下一步 [![](http://3.bp.blogspot.com/-zfdsDgP6C_o/Uv155lilVpI/AAAAAAAABAg/K6MXCm1D1vY/s1600/02.png)](http://3.bp.blogspot.com/-zfdsDgP6C_o/Uv155lilVpI/AAAAAAAABAg/K6MXCm1D1vY/s1600/02.png) 這裡以安裝同盟伺服器為例子 [![](http://2.bp.blogspot.com/-TPgO9T-t-rQ/Uv155nOki4I/AAAAAAAABAc/pdUeIXJ0-4k/s1600/03.png)](http://2.bp.blogspot.com/-TPgO9T-t-rQ/Uv155nOki4I/AAAAAAAABAc/pdUeIXJ0-4k/s1600/03.png) 安裝的先決條件軟體,需要一點時間 [![](http://3.bp.blogspot.com/-9ABxhIV9Vrk/Uv155hp8kwI/AAAAAAAABAk/KoOfO_MZEqk/s1600/04.png)](http://3.bp.blogspot.com/-9ABxhIV9Vrk/Uv155hp8kwI/AAAAAAAABAk/KoOfO_MZEqk/s1600/04.png) 安裝好了 [![](http://2.bp.blogspot.com/-Ja5YY_KbBjo/Uv16-xCBwPI/AAAAAAAABAs/j8g0Pt4u-ro/s1600/05.png)](http://2.bp.blogspot.com/-Ja5YY_KbBjo/Uv16-xCBwPI/AAAAAAAABAs/j8g0Pt4u-ro/s1600/05.png) 先來設定同盟伺服器 [![](http://4.bp.blogspot.com/-B-lvhmoco5Q/Uv17Q77tGcI/AAAAAAAABA0/m4Km-nc3HFo/s1600/06.png)](http://4.bp.blogspot.com/-B-lvhmoco5Q/Uv17Q77tGcI/AAAAAAAABA0/m4Km-nc3HFo/s1600/06.png) 建立一個新的Federation Server [![](http://2.bp.blogspot.com/-Hb97KqSKg6g/Uv17sparJoI/AAAAAAAABBA/IkZrSc_m_-8/s1600/07.png)](http://2.bp.blogspot.com/-Hb97KqSKg6g/Uv17sparJoI/AAAAAAAABBA/IkZrSc_m_-8/s1600/07.png) 選擇獨立同盟伺服器 [![](http://1.bp.blogspot.com/-BAPk5nzxTqA/Uv17suHq9_I/AAAAAAAABBE/akZowV4m6HA/s1600/08.png)](http://1.bp.blogspot.com/-BAPk5nzxTqA/Uv17suHq9_I/AAAAAAAABBE/akZowV4m6HA/s1600/08.png) 這裡需要SSL憑證,要測試的話可以先用本機簽署一個 [![](http://1.bp.blogspot.com/-MIrq5V6eH6U/Uv17uHJvnfI/AAAAAAAABBQ/xLL6V9qs770/s1600/09.png)](http://1.bp.blogspot.com/-MIrq5V6eH6U/Uv17uHJvnfI/AAAAAAAABBQ/xLL6V9qs770/s1600/09.png) 先打開IIS選擇伺服器憑證 [![](http://2.bp.blogspot.com/-QKFxIEJEwxE/Uv1_alnCAxI/AAAAAAAABBk/TiPelyRZmqM/s1600/09-1.png)](http://2.bp.blogspot.com/-QKFxIEJEwxE/Uv1_alnCAxI/AAAAAAAABBk/TiPelyRZmqM/s1600/09-1.png) 建立自我簽署憑證 [![](http://4.bp.blogspot.com/-Go2cqtUcxPo/Uv1_alfZIMI/AAAAAAAABBs/J0A94Qjv784/s1600/09-2.png)](http://4.bp.blogspot.com/-Go2cqtUcxPo/Uv1_alfZIMI/AAAAAAAABBs/J0A94Qjv784/s1600/09-2.png) 輸入一個好記的名稱 [![](http://2.bp.blogspot.com/-dtCY5ofn_3o/Uv1_aqVRRuI/AAAAAAAABBc/vV5fSUYDcwo/s1600/09-3.png)](http://2.bp.blogspot.com/-dtCY5ofn_3o/Uv1_aqVRRuI/AAAAAAAABBc/vV5fSUYDcwo/s1600/09-3.png) 建立完成 [![](http://1.bp.blogspot.com/-M97EKTrKQd8/Uv2CFsOglHI/AAAAAAAABCo/Qj5mN4mE6f0/s1600/10.png)](http://1.bp.blogspot.com/-M97EKTrKQd8/Uv2CFsOglHI/AAAAAAAABCo/Qj5mN4mE6f0/s1600/10.png) 回來ADFS的設定畫面,應該可以看到剛建立的憑證 [![](http://1.bp.blogspot.com/-rSNULMrzuOU/Uv2CFqQfTlI/AAAAAAAABCk/gRApUbBZgvY/s1600/11.png)](http://1.bp.blogspot.com/-rSNULMrzuOU/Uv2CFqQfTlI/AAAAAAAABCk/gRApUbBZgvY/s1600/11.png) 準備完成 [![](http://2.bp.blogspot.com/-q4ony3w5zK4/Uv1_cII8q4I/AAAAAAAABCI/w-Xw_27Yudg/s1600/12.png)](http://2.bp.blogspot.com/-q4ony3w5zK4/Uv1_cII8q4I/AAAAAAAABCI/w-Xw_27Yudg/s1600/12.png) 接下來就讓安裝精靈跑一會吧 [![](http://2.bp.blogspot.com/-p9arEluH2uQ/Uv1_cFRVsyI/AAAAAAAABCM/_Gorjg0QsB8/s1600/13.png)](http://2.bp.blogspot.com/-p9arEluH2uQ/Uv1_cFRVsyI/AAAAAAAABCM/_Gorjg0QsB8/s1600/13.png) 到此安裝完成 [!