We are creating a WCF Service that has to conform to a pre-defined WSDL. One of the requirements is that the Timestamp, all WS-addressing and and message body should be signed.
To achieve this, we added the following CustomBinding;
var secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
secBE.EnableUnsecuredResponse = true;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
secBE.IncludeTimestamp = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.RecipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//Create binding element for encoding
var mtomBE = new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
//Create binding element for transport
var httpsBE = new HttpsTransportBindingElement();
httpsBE.RequireClientCertificate = false;
httpsBE.AuthenticationScheme = AuthenticationSchemes.Anonymous;
CustomBinding binding = new CustomBinding();
binding.Elements.Add(secBE);
binding.Elements.Add(mtomBE);
binding.Elements.Add(httpsBE);
The client certificate is used, but we host the endpoint on Azure and the certificate will be moved to a 'X-ARR-ClientCert'-header so we can't make use of the built-in certificate validator that's enabled using RequireClientCertificate = true.
I've enabled a trace and the following exception is thrown when receiving a request from the client:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The security header element 'Timestamp' with the 'wssecurity_signature_id_1803' id must be signed.</Message>
When looking at the request message, the following headers are included;
<MessageHeaders>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds soapenc soapenv wsa wsse xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#wssecurity_signature_id_1799">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1800">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1801">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="p324 soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1802">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1803">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsse wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1804">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- Removed--></ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#x509bst_1805" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="wssecurity_signature_id_1803"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-04-07T07:25:47.641Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
<wsa:To wsu:Id="wssecurity_signature_id_1802"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:To>
<wsa:Action wsu:Id="wssecurity_signature_id_1804"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:Action>
<wsa:MessageID wsu:Id="wssecurity_signature_id_1799"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:44bf184f-c7af-4efc-9385-cda168692d60</wsa:MessageID>
<wsa:ReplyTo wsu:Id="wssecurity_signature_id_1800"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
</MessageHeaders>
I have no control over the request message that is sent to our WCF service, so everything has to be fixed server-side. Why is the timestamp not detected as signed?
I changed a few things and it started working. Firstly the AsymmetricSecurityBindingElement;
Set EnableUnsecuredResponse to false.
Added SecurityHeaderLayout that defaults to "Strict" and set it to "SecurityHeaderLayout.LaxTimestampLast".
Then, I added a custom MessageEncodingBindingElement that implements a custom MessageEncoder. This encoder adds the To and MessageID headers although I do not think this was the problem.
Related
I am new to Apache and SAML. I have below configuration in my my_app_httpd.conf file which redirects un-authenticated request to OKTA which is working fine.
<Location />
ErrorDocument 401 "/simplesaml/module.php/core/authenticate.php?as=default-sp"
</Location>
But after authentication when SAML response is received, apache doesn't understand and it redirects again for authentication on same url. This causes indefinite loop.
Can anyone please tell me how can I setup apache configuration so that it understands that OKTA has authenticated request and it should allow access to web page.
Below is response SAML.
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://10.184.10.216/nagios"
ID="id3356034041494549348655095"
InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
IssueInstant="2018-07-09T19:31:46.388Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id3356034041494549348655095">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>D6hXy7yCw4MpfQjE+vcACd3WedArnDr7d4jFjEt5yvw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hidden</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>hidden</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id33560340415149882013321527"
IssueInstant="2018-07-09T19:31:46.388Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id33560340415149882013321527">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>6dGcam+MkWY7/0LWUEoV7U40u/Qb7694fnbwERfTEhE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hidden</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>hiddendata</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emailofuser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
NotOnOrAfter="2018-07-09T19:36:46.388Z"
Recipient="http://10.184.10.216/nagios"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-07-09T19:26:46.388Z"
NotOnOrAfter="2018-07-09T19:36:46.388Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://10.184.10.216/nagios/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-07-09T19:31:46.388Z"
SessionIndex="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>username</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Nataliya</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>emailofuser</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
SimpleSAMLphp is usually used as a library in your application to authenticate users - it is not an apache module. You can use SSP's AuthMemCookie module to allow Apache to make use of the session data stored by SSP.
This seems like it should be handled natively so I am likely doing something wrong. I have a WCF client which calls an Active STS and uses the token from the RTSR to generate the WS-Security header included in the call to the RP. The RP requires that the header be signed, which seems a fair enough request. However, the WS-Security header generated by the client does not include a signature and I cannot see how to configured it to do so. The generated header is below. As can be seen it contains a signature for the assertion and the subjectconfirmationdata both of which are responsibilities of the STS. The "missing" header signature, in my limited understanding, is a responsibility of the client. So is what configuration/code that needs to be added in order to get a signature block that is a child element of the Security header much like the reference header below.
Client Generated WS-Security header
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-08-24T21:04:41.090Z</u:Created>
<u:Expires>2015-08-24T21:09:41.090Z</u:Expires>
</u:Timestamp>
<Assertion ID="_fea24920-d64c-4758-b51e-61208cb5084f" IssueInstant="2015-08-24T21:04:40.060Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">MySTS</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_fea24920-d64c-4758-b51e-61208cb5084f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/tfOnmKqjmkK8gH1GMNQ/XJ5gdtwzvcJTqxwiZJ7noQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dGz1dN9odSSpblmgczWWRG6tF66oonOHAVJCSC5uqjCOH+18cjJfX/duqb0sv1w0VxGsKIzR0VZ74V5Pq5MWsKQArIgEwO/wnUEOcKPI9J3KlL/IU7XLJNFtVO/ioKB4ps34S/5vZLB+WxXryz5ylBd5JvVFT7cf9R68kSxY9IurxELCGdhe/YIgJtgI6JsEoqqk7314sUZj8qrCy5zUbEVufyyStCI23OIunXPQceksa/csdaTmHFPNkYtHY8yUmyzT8aKBVKZVG2iluXySoi0TwTiVH+4ImGqXKV+VhUebCwqQwAur1IWAu+V/r7ZkW7C0384ATkMTmmLXRhom3g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">JoeTester#example.org</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData a:type="KeyInfoConfirmationDataType" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-08-24T20:59:36.114Z" NotOnOrAfter="2015-08-24T22:09:36.114Z"/>
<AttributeStatement>
<!-- attributes where here -->
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-08-24T21:04:36.130Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</o:Security>
The client side WCF Binding
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</ws2007HttpBinding>
<customBinding>
<binding>
<security authenticationMode="IssuedTokenOverTransport" requireSignatureConfirmation="true" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" messageProtectionOrder="EncryptBeforeSign"
keyEntropyMode="CombinedEntropy" includeTimestamp="true">
<issuedTokenParameters keyType="BearerKey" tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<issuer address="" binding="ws2007HttpBinding"/>
</issuedTokenParameters>
<localClientSettings></localClientSettings>
<secureConversationBootstrap />
</security>
<mtomMessageEncoding maxBufferSize="2147483647" />
<httpsTransport requireClientCertificate="true" maxBufferPoolSize="134217728" maxReceivedMessageSize="134217728" maxBufferSize="134217728" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" contract="IReplacable" name="*" />
</client>
</system.serviceModel>
</configuration>
Reference Security Header
<wsse:Security S:mustUnderstand="true" xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="timestamp1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2015-08-21T22:34:49.138Z</wsu:Created>
<wsu:Expires>2016-08-21T22:34:49.138Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion ID="a956b920-4956-47c6-8a05-8a3a56e418a0" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a956b920-4956-47c6-8a05-8a3a56e418a0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>guh8xR0Vu+3X3LlLAu7SJ0wCKXw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>2X2UmgJMLGQIzN73pxxyQZVVttnE8xAkPmScvFCX2zlrS7QdmqM+BoJswtmDImK9wAhXC0WtY17U C97Iw7brHrmNtQa3tM+4JClSCuW6SM6OjHn3qMLHiUJrpIZ1k0YAYfLcIF9S7x5lYFKUzWk+oOz1 3LMOMsjORXCssUpzd3BCOUhSSeg9+6b76ZyqTeaFqldn1OmG9jz3QS+h/vUo24h1ohKPJqEcE9sG 3Ab3LqyYv8ASVP9DsKRjOjxGKfhFT5WD9gW10IqQY2YGyYtguHfsyf05dPGBuXB8jaPZ3wgYsYXU FMmjRmuAYQkdQQRH8ju4HwtWdGnTtCQBRoqboA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2015-08-21T22:27:49.138Z" SessionIndex="123456">
<saml2:SubjectLocality/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509 </saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<!-- attributes-->
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="_3e0d08ce-a126-45e8-b602-ac0c7ea075ce" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-08-21T21:34:49.138Z" NotOnOrAfter="2016-08-21T23:34:49.138Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4.123456789 </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
</saml2:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#timestamp1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qs//Jxv/CVrDvTxn8hYvdSe1pbY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uf13RmBH95fP4o6x6eXC84+gkoLeZqLshw0ycm8t6HJP0+OtVEPZJbAw/UF2i2rzDk6oFE/Rxe1l /cks9HkIyNBEIwt2VY1hUldWfGd1cDq6Pi/H3EGuMasr42Qm8ObPCkSFqXhgowtIsSR9amo3e1KO YBsjYLnidcaZi7B1c6DjH1GozgSgdZDrYANUJr/KJ8zDDhGU09WXEuOekx41YvS4nWn/EHJbV+xf zKTN9ds+91PtFL1nnjqJT9BH4V2TvnRildsh7BeoMqQrXuePp7FxxgxCtg5tB15gDrNS1mOLorQZ 5UwqSrLp2/WkGkpzabMf2oN56lkiB6IHvsZ+Yg==</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">a956b920-4956-47c6-8a05-8a3a56e418a0</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
The headers are not signed since you are using bearer key token, as set in your configuration
<issuedTokenParameters keyType="BearerKey"...>
It needs to be either a symmetric key or asymmetrickey. Looking at your reference SOAP header, you'll need an asymmetrickey token.
The simplest way is to use ws2007FederationBinding. If you have to use a custom binding (as in your config), here is a sample config from MSDN at https://msdn.microsoft.com/en-us/library/aa734714(v=vs.100).aspx
<issuedTokenParameters
DefaultMessageSecurityVersion="System.ServiceModel.MessageSecurityVersion"
inclusionMode="AlwaysToInitiator/AlwaysToRecipient/Never/Once"
keySize="Integer"
keyType="AsymmetricKey/BearerKey/SymmetricKey"
tokenType="String" >
<additionalRequestParameters />
<claimTypeRequirements>
<add claimType="URI"
isOptional="Boolean" />
</claimTypeRequirements>
<issuer address="String"
binding=" " />
<issuerMetadata address="String" />
</issuedTokenParameters>
You can omit the issuer element and obtain the SAML token separately from your STS using WS-Trust, and use the token to secure your outgoing message to RP.
Java client wants to send SOAP request to my WCF service. SOAP header contains signature and certificate information, example:
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-3767FCEC48BA3FC46A141268453194033" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-3767FCEC48BA3FC46A14126804973444">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>fsN0Bl7FcJhPTZFFOCvyIrLkcg/Oo9JhOpbv23VnnDI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gVdpmh...0b/1FHPatVA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-3767FCEC48BA3FC46A141268453193931">
<wsse:SecurityTokenReference wsu:Id="STR-3767FCEC48BA3FC46A141268453193932">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDnjCCA...7Of</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
How should look the web.config binding of my WCF service, so that SOAP body will be validated against signature in the SOAP header?
Thank you
Try this:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
Make sure to decorate your contract to sign only:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
I'm trying to call a web service in asp.net 4.0. Vendor has sent me the following sample soap header. I need to know how can i create following header in WCF client asp.net 4.0.
currently i'm using following code in app.config
<bindings>
<customBinding>
<binding name="EDTPortBinding">
<mtomMessageEncoding messageVersion="Soap11"/>
<security
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
securityHeaderLayout="Strict"
includeTimestamp="false"
requireDerivedKeys="true"
keyEntropyMode="ServerEntropy">
</security>
<httpsTransport authenticationScheme ="Negotiate" requireClientCertificate ="false" realm =""/>
</binding>
</customBinding>
</bindings>
but i'm getting error
Addressing Version 'AddressingNone (http://schemas.microsoft.com/ws/2005/05/addressing/none)' does not support adding WS-Addressing headers. Following is a sample header which I need to generate from WCF client.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-8B2ED84CAE64FADA2113775419342631">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse erd edt abc deg soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>TSBdwFiHK6F64sibCXjThfekOJ5vQiXzPk5MjXPEwDE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="sdf edt dfs dfd soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>pFSgm8Pc531sbAN/Oo3glEbs1Rh741tXJya+70oALdo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dsf dfd sdf soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>FHoEV5Xp//KLgM1Fg5NyeIfkRjUramyx0Y0+kX41leg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dsd edt dfd soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>2SieN++YDPYJwbhBTgirOvjJo0aQMwiTcg5bL4Oj0fU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>eALo7Pftw02ykaoXdlUt7IPiHB9RbRfj2t7zTLxzLXg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>lhXC6GdvAtJq87cQHin0DRkDWDMkKPUbyqEd1m5XRUz+puGxWIX8EtriEdCOQGf/fzmYg7Q5 qpbR xQYw94SCLHynJu1VCx7MoI8A3wFbwdsEKF9urE3rKzrM6F6YLlosuOiGNFN9kK20ryUAl4XHqCrC C1Su3kFIiE0bwnWNCoi1bqt2zkomyBSVNXUOfw/QWfPbKlRZLNlzap1WPYK9ECSYF6Tf1g4R0lxk 7LcBYlWQn+P/qSIqZAv4jPDFQJS+pJ+3/Le8yEHNsZJfGjMKt2PF9jer3AJt+GqA3zQbj/5Ql0NF AK/uZv25s2pji6cRcz29qeLlyqhYbzLgCTPlog==</ds:SignatureValue>
<ds:KeyInfo Id="KI-8B2ED84CAE64FADA2113775419343232">
<wsse:SecurityTokenReference wsu:Id="STR-8B2ED84CAE64FADA2113775419343253">
<wsse:Reference URI="#X509-8B2ED84CAE64FADA2113775419342631" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>confsuxx#outlook.com</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username- token-profile-1.0#PasswordText">xxxxxxxxx</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-08-26T18:32:14Z</wsu:Created>
<wsu:Expires>2013-08-26T18:32:44Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<idp:IDP wsu:Id="id-4">
<ServiceUserMUID>039396</ServiceUserMUID>
</idp:IDP>
<ebs:EBS wsu:Id="id-3">
<SoftwareConformanceKey>5cc6a261-d970-4898-920c-119fd07eads</SoftwareConformanceKey>
<AuditId>444361ee-277f-7732-c684-7a9923jaaa1b</AuditId>
</ebs:EBS>
</soapenv:Header>
I notice you're using soap 1.1 with addressing, which is unusual.
Try setting the textMessageEncoding binding element :
<bindings>
<customBinding>
<binding name="EDTPortBinding">
...
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
...
</binding>
</customBinding>
</bindings>
Following is the soap message I captured from fiddler. This message is quite different from required message i published on top.
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<k:EncryptedHeader a:mustUnderstand="1" u:Id="_3" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:a="http://schemas.xmlsoap.org/soap/envelope/">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>BB/K56PdPa2IXdceVcLvCmFIuly4HwOGVmv4OCI6sNd/D7pLzcz9R/DtCI7uKI7Xn1ppIzQf9P+HgQ6dB2k+Dc8SrKpbzgJR9JhTzOSxm/0ZkdVuk6nhpPORo0Ch4507u/YqaiQkveO/tANBXiToi9GgFNYEOZTzR/rMvpRmvEyGnlxOkiXQI8H5CJn87dZxMc/KITyaAae3CNFhcLcUIsMDgc58GICbjNCx09YLHuxHaofng+D1yGhW0CmtMymCvxcvLcZmvcH4QBMD1LeEmliqaVIA7PfrF0C6z4ukN7cK2lQyYPeiJ2HQ0Vd0MbaDYoX7qVt3c1SOlVEzGVhC1NDi7Ejilt6laftyqX2uBWd0JcLsJpLLYioTB5mcxuXS+0LnmAGuU6njJWEfTqidLyticIzo3yitFdgjofgaGymkjVq0jCtTfE8mkzLTW2/S</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<k:EncryptedHeader a:mustUnderstand="1" u:Id="_4" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:a="http://schemas.xmlsoap.org/soap/envelope/">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>pFKhSf01843H0S0lR16/NFymFGqVt6cNNP2VzL8W6t8N+4uVI3QAMj0NigFigBpNi1WtXLV/Y5E3zUlnEP6drl1pVWo7ue4fYIKM3VZ347p27xHLO72Jy+734uf9n8nI1ruiWGPZZ/hDUwB5gmU0AEJGJPDzKS4fd3fZcMKaem7I9g8nRNhEE5sBq7w2YraIRsep++MK7FSqNJ/y6RIw5ifaVtEIzMqiXdPv6DSpfkU=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<ActivityId CorrelationId="8d7e0216-f29e-466d-8f59-fee9237be43a" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">30b8fade-6c73-4e77-aff7-98248cea2c09</ActivityId>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo1UOM+fT2PVBuVeE+3YdGt4AAAAAm+k0MQFSMkSxuNClyxbltwINs5gG8f1OoEvHXvwJM9IACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-14ace37f-2548-40e3-b88a-f3d95a3fef73-1">
<u:Created>2013-09-09T02:07:20.028Z</u:Created>
<u:Expires>2013-09-09T02:12:20.028Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIC1DCCAbygAwIBAgIQPpGuGBOBzJdOQbuT5uWbsjANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhFTVJBTi1QQzAeFw0xMzA5MDcyMjE2MDJaFw0xNDA5MDcwMDAwMDBaMBMxETAPBgNVBAMTCEVNUkFOLVBDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyWYMQAVEJxSDKmRk93Z+dH236HFSKF27TVAIoEcRAsBwN3MWUiIUOA4jPg20YaDHiFdGzCUr3rtRKtFo6rqhkj4gixObocG52fnJ4Ae8mlhO0hc/OONp40st9RuGY8my78GBzcSc9Tp+gW6/5ZHsVeXRFpwK7n+QnPTa2y3aPbsUHsazrSvxFp+LGzYxns5aLAi1k3PEAxoB7wHkOBEED0WuOuY7++EUKJDDjbiM/mRwklU43Y3zZfFdTDhqH/OFpuufPacvmTKDwvIbdIbfCvLNWenskMTSLb7Ak0YbPVdMY/7AsKlwHzrSVcENyYM+zIRSGVKswIVbL00VA0Ld7QIDAQABoyQwIjALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIi9agMTAHXMhB9N9/P1iKPeWnVblutod/0i49oKsDxn3gb2d7AX8+fRgRHBP6L6yFcjX0goDl1MnWTYDl3AQaassDk1hW1SZlKhQgBVmsW38s+beEb1hyhZQtr7+SQbDEqRWL5RBN8Fi9CQiP5pOIvsNyymFixWk0HdjAo+8yE086YR3Wko6GtUDiQfZb2/05fRooQjmhxxUy4vlyteuP3nMnHxIR4jd9MO47dK30zyQpW9RuZxSVjAnpy+LnKhTFl9MwIXwubTaUrBAvru9T/OuQrBh+vllPfgSG4Q8U1z40Vp1JVGLqFXy9H+5T+MipFA7OVJrs6+/NnCdx8pwiQ=</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=EMRAN-PC</X509IssuerName>
<X509SerialNumber>83168549829936402630366527231323642802</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>JBPf96uwqg3QWqWrqBXLms269TvxNiPuwQiIp1yCxpFCmGYlHAPPzwKp0uIaY2GotNeot9eg29ob5hu9KAYUiYPHklVXYbl4pg3Jvim4O6ElcbkN5A6v1eTZgk7xLlDf+eMGT7zCP0UwjEjzl8Z/K9VdLSASV9E7eUHiZH2xQmbuhyckQAEGSzlpFO3pu9fiTTQZRScURc6cn6hCTsNaLT93nJUWKY2rSehDWA5X8WBMVs5E2nYxBdXzmRABP/0nW8BGRyKvl9reqxB/3nmCErG5ADLI2XlipT4h/pa6o7qYMHaiPPYTOuM+3dXdGie2gYv89j5TIQfeaRMiyFuqyA==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:UsernameToken u:Id="uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-1">
<o:Username>abcdf14</o:Username>
<o:Password>asdfasdf34!</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>cnhQbioITPIFIdQJYIuRoxIZcKs=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>tY4Bfb76si198z7okwNeD2AqChg=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>zAqp1Yf2HzJ12a2WQZj6ZsvN44M=</DigestValue>
</Reference>
<Reference URI="#uuid-14ace37f-2548-40e3-b88a-f3d95a3fef73-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4F0ElIwHLQe4hnmTCqxo7n8Q/U4=</DigestValue>
</Reference>
<Reference URI="#uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>0u8ZWlKe7AGzrNJDS+ytvn1Jumg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jnxPBBQEUNYPL8OcrzSywUVa/ipMwLiKlE+n+W7EpgKZjz2LJlCF8BYEJ4yOrF4WsiX1k26qSk/O59Kf+PWRqhJGYQ2Z0eZc5CW4upHhHoatymKFLphh75d4xef7dfPs+MvsN5Elw2QHvsiz5uO7OLyP5uSCNdVxg9F3zjcfmnW4aIIHvzV8PmTpysmPAnoNvRkNjGFxuemLERVKxjWc1Rn8JDy6nDVi4wYvISn1d6i00IsrIc0LJZosx/MwuSiE8AOP6Lo6+1eBDUzd6S9vqN6fCcJ1lykO6CouMuo+qxA37nmItfsgb7NtC+lAZpnVRB9qC8aqaFsXh9Vu1qeUoA==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
<e:DataReference URI="#_3"/>
<e:DataReference URI="#_4"/>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>t52vr+BDePvaT3bRjdKNt1Py915Jn/x7XAtM+z2c9I6nlFhw/Sf6H4AQh+MpRolfzoBIcmZQWQ56x6YrhdbOEVI9s+zEprLcvBoGn1JewZ1U7rqdpjXVuiee83hMHeFTT2THIJ7fX1O7Pm3rWxqM0AMaUm41UACnaxp0hZAncCFPEoc/+AtyC39zS/oxKYchNzVDkEBkoxjDnHndrQt2XGVSV0fjnCnWfAZ1Zi2zXVH50RA7nTSufZjZXld78nphJ+a5QqeT9V9XGWsd7Pg2ivI9ykb7Ke5IMTYD4nmLV7zR+zqMDiQnj+7GEpVKnuCraOilkr8afwyWZF97vi+9A1PIvzJbKnlQ3jryDZDUmWU=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
EDIT: See here a detailed solution to consume this EBS-EDT service
You need both username and client certificate. This cannot be done via binding xml configuration. you must create the binding progrematically. Something like this:
var b = new CustomBinding();
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion =
MessageSecurityVersion.
WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.IncludeTimestamp = false;
sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
b.Elements.Add(sec);
b.Elements.Add(new MtomMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
var c =
new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri("https://www.url.com/"), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));
c.ClientCredentials.UserName.UserName = "yaron";
c.ClientCredentials.UserName.Password = "1234";
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
System.ServiceModel.Security.X509CertificateValidationMode.None;
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(#"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer");
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx", "wse2qs");
c.EchoString("1");
Since you only use signature and not encryption you also need to set ProtectionLevel.Sign on your contract. See about this and other gotchas you may encounter in this detailed wcf security post.
Below is the style of header I need to create. I am expected to use either a public/private key or a SSL style certificate.
I don't know for certain, but I think my counter-party is using some form of Java.
<soap-env:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#secinfo">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>xxxxxxxxxxxxx</ds:DigestValue>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>//*[#id='secinfo']/child::*/text()</ds:XPath>
</ds:Transform>
</ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>xxxxxxx</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
<t:UsernameToken xmlns:t="http://schemas.xmlsoap.org/ws/2002/04/secext" id="secinfo">
<t:UserInfo>USER=xxxx;CORR=xxxx;TIMESTAMP=201003161916</t:UserInfo>
</t:UsernameToken>
</wsse:Security>
</soap-env:Header>
A little late, but How about this:
How to: Sign a SOAP Message Using an X.509 Certificate