In my environment there are an ADFS 4.0 and asp.net project with IdentityServer4 + WsFederation package as the Claim Provider. All RPs that using a Ws-Fed protocol work fine. But SAMLP RP, does not receive claims in the response.
Sequencing:
The RP initiates a SAML signin request in ADFS. ADFS makes a Ws-Fed singin request to IdentityServer4. ADFS Get Ws-Fed response with a propper claims. But on the next step when ADFS generate SAML response from Ws-Fed response, ADFS issues the SAML response for RP without a claims ...
There is an error in event log:
EventID: 303:
Additional Data
Exception details:
System.IdentityModel.Tokens.SecurityTokenException: MSIS7099: SubjectConfirmationData element was missing in received token.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateRequestProperties(Saml2SecurityToken token)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
Ws-Fed message with UPN and E-mail claims:
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"
Context="RPUrl=http://xxxxxx.com%2fadfs%2fservices%2ftrust\BaseUrl=http%3a%2f%2fxxxxxxxx.com%2fadfs%2fservices%2ftrust\ProtocolID=Saml\Id=id-8cbbc2e6-70f5-4804-9e61-99fd13781978\SAMLRequest=xxxxxxxx%3d\ProtocolBinding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-Redirect\RelayState=8e27a614-61b2-47f0-9583-f9be1d9ee75a"
>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://xxxxxxxx.xxxxxxxxx.com/adfs/services/trust</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_aac09822-5db4-4791-b677-690ef5bf273e"
IssueInstant="2020-07-01T14:10:26.357Z"
Version="2.0"
>
<Issuer>https://xxxxxxxxxx.xxxxxxxxxxx.com</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_aac09822-5db4-4791-b677-690ef5bf273e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>/2MHUXKcVJHSzV70wbFJVFrnYawDdFYPuekSh1/zEC4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxxxxxxxxx</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>xxxxxxxxx</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xxxxxxxx</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2020-07-01T14:10:26.357Z"
NotOnOrAfter="2020-07-02T00:10:26.357Z"
>
<AudienceRestriction>
<Audience>http://xxxxxxx.xxxxxxxx.com/adfs/services/trust</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>xxxxxxxxx</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>xxxxxxxxxx</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-07-01T14:10:26.342Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</t:RequestedSecurityToken>
</t:RequestSecurityTokenResponse>
WS-Fed -> SAML (UPN and E-mail are missing):
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_59eef1fa-81c5-4ede-8538-6caf4dbdf480"
Version="2.0"
IssueInstant="2020-07-01T14:10:26.698Z"
Destination="xxxxxxxxx/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="id-7052d47f-3df0-4d49-8ddf-673603bccb8e"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxxx/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_59eef1fa-81c5-4ede-8538-6caf4dbdf480">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>iia3AYaxxx8UoxILqjhsxkgeO4rXqPk9Jil1t0jUbLU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxx</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
</samlp:Response>
Has anyone encountered a similar one?
The "urn:oasis:names:tc:SAML:2.0:status:Responder" is an error status. The SAML response will contain a SAML assertion with the various claims as the SAML Subject and SAML attributes only if successful.
Check the Windows event log on the ADFS server. There will be one or more error events associated with this error. It's most likely some sort of configuration error.
It sounds like you are not passing through the claims.
You need pass-through rules on the WS-Fed CP side and the same set of pass-through rules on the SAML RP side.
Since WS-Fed doesn't use NameID, you may also have to contruct a NameID claim on the SAML side using e.g. email or UPN.
The error was that IdentityServer4 generates a SAML 2.0 token inside the WsFederation message by default instead of SAML 1.1. Everything worked well until the applications initiated the WsFederation SignIn request, and extract SAML token by itself, but when the application sent the SAML SingIn request the ADFS must extract the SAML token but ADFS works with SAML 1.1 version only. So as a solution I switched a token version from SAML 2.0 to SAML 1.1 in IdentityServer4 and all started work.
namespace IdentityServer4.WsFederation
{
public class WsFederationOptions
{
//public string DefaultTokenType { get; set; } = WsFederationConstants.TokenTypes.Saml2TokenProfile11; // was
public string DefaultTokenType { get; set; } = WsFederationConstants.TokenTypes.OasisWssSaml11TokenProfile11; // working way
...
}
}
Related
I'm trying to integrate OpenAM Saml SSO to my .net 5 application. ITfoxtec.Saml2 is used to handle the authentication on the SP.
When trying to login, a valid post samlResponse is send. But when validating the response, I get following exception.
ERROR|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request. ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
Confirmed that the signature Algorithm is correct (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
When manually verifying the saml response (via browser plugin SAML Chrome Panel), I noticed some encoding issues at the signature & certificate. Our admin also confirmed openAM encoding config is set to utf-8.
Is there anything that I am missing?
Request:
<saml2p:AuthnRequest
Destination="..."
ID="_b8fad14a-506b-4496-aa35-f09c4174e76f" IssueInstant="2021-10-25T12:59:21.212Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>...</saml2:Issuer></saml2p:AuthnRequest>
Response:
<samlp:Response Destination="..."
ID="s2b5ecaf8f0265680dc4dcdd853678d3fb0fae7410" InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
IssueInstant="2021-10-25T12:59:21Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">...</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion ID="s21d821b22e63d329f2ae5284b1dcfab415b825ebf" IssueInstant="2021-10-25T12:59:21Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>...</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#s21d821b22e63d329f2ae5284b1dcfab415b825ebf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DUXzMtgGm0bCJD88pdxmElxNsxs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGKlcZKLqzLL2MxNld4/4lGC8C/p2AULruK+HIha8sGvdEnU4zvdYhC701q6LpjHLwKLVcwgv+pG
ATzkzIZDmZ6SzXljQXtOwTwy4yT7gblbnL4W3gEqxceDtxs4MDjNQ+k/bJQlD32egA+ThteJyNby
Cztkf8LR2S5MLCyDjPX93DgQ97zo+tr4vUsIlExK2MiQQlTNBgvR0tZqvvTAOCva20dBacc5FaW+
qmUe7+lPeRzCnWp1Lag2KpSIJs7Uuc/Tp3uHw9Jys/g+ZYRQLESRpGEiPNLB602CMF4a8xOMUdlz
VUW5ECdywnnrZfVdJmKcPg725YJVmUGzS6K1QA==
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsT
Bk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQK
EwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFw
jwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wz
lE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/
ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eL
FootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8w
HQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2i
dv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukj
IzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119
IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlG
o99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV3
1sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="...">zC7qyfpyMwFtp24en9Y97+hEEptH</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
NotOnOrAfter="2021-10-25T13:09:21Z" Recipient="..."/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-10-25T12:49:21Z" NotOnOrAfter="2021-10-25T13:09:21Z">
<saml:AudienceRestriction>
<saml:Audience>...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-10-25T12:18:36Z"
SessionIndex="s27d56759d777a5ce71e5b97601c1563c4137ced01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion></samlp:Response>
Metadata:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="http://devopenam02.dev.coteng.com:8080/OpenAM-14.6.2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
</IDPSSODescriptor>
</EntityDescriptor>
The ITfoxtec Identity Saml2 package do not read the IdP signing certificate in the EntityDescriptor/KeyDescriptor element, the element is not supported.
The IdP certificate is read in the EntityDescriptor/IDPSSODescriptor/KeyDescriptor element.
Valid IdP metadata sample for the TestIdPCore sample:
I was able to retrieve, decode the security token (SWT) from various identity providers configured in ACS. Now I should be - according to example - able to do this:
String headerValue = string.Format("WRAP access_token=\"{0}\"", securityToken);
WebClient client = new WebClient();
client.Headers.Add("Authorization", headerValue);
using (Stream stream = client.OpenRead(#"http://xxx.cloudapp.net/xxx.svc/users"))
using (StreamReader reader = new StreamReader(stream))
{
String response = reader.ReadToEnd();
}
It works in a sense it fails for a non-existing endpoint for example. So service is there (secured), token module and token validator on the server side are called, and token passes through. So it's not that. But anyway the problem is that the response contains HTML of a login page (that one with identity provider list in it). It seem like as though the token validation was OK, it still isn't enough for security.
What should I do now, to receive my data from a service? Any hints?
Scenario: http://tinyurl.com/WcfRestSaml
Update: I've included link to a picture of scenario I'm trying to achieve.
Update 2: OK, I've switched to Saml2, but same error has occured. Then I've found out I need assertion to receive access token. So I did:
WebClient client = new WebClient { BaseAddress = string.Format("https://{namespace}.accesscontrol.windows.net") };
NameValueCollection parameters = new NameValueCollection
{
{ "wrap_assertion_format", "SAML" },
{ "wrap_assertion", securityToken },
{ "wrap_scope", "http://{our}.cloudapp.net/" }
};
Byte[] responseBytes = client.UploadValues("WRAPv0.9", parameters);
String response = Encoding.UTF8.GetString(responseBytes);
This returns yet another error as well though:
Error:Code:401:SubCode:T0:Detail:ACS50008: SAML token is
invalid.:TraceID:1d3774fa-a5e6-3e3b-a5e5-5a0bde6e0771:TimeStamp:2013-06-06
16:18:05Z
But it seems that this should return my desired access token.
Update 3: Nothing helps, nowhere to gather the information, damn. I'm posting a full token on a blind chance somebody will notice something is wrong at least (I've removed sensitive informations though).
<Assertion ID="_541a71ba-1e00-478c-8d2b-0beac3a35d35" IssueInstant="2013-06-07T11:38:31.741Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://{removed}.accesscontrol.windows.net/</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_541a71ba-1e00-478c-8d2b-0beac3a35d35">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>{removed}</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>{removed}</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>{removed}</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>https://www.google.com/accounts/o8/id?id={removed}</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-06-07T11:38:31.694Z" NotOnOrAfter="2013-06-07T12:38:31.694Z">
<AudienceRestriction>
<Audience>http://{removed}.cloudapp.net/</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>{removed}</AttributeValue>
<AttributeValue>https://www.google.com/accounts/o8/id?id={removed}</AttributeValue>
<AttributeValue>{removed}</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider">
<AttributeValue>Google</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
As noted above:
We've solved it with Microsoft Support, it was caused by the fact, the service was behind passive federation, and the process doesn't like obviously. I've solved it by creating a <RequestSecurityToken> envelope for the SAML2 assertion token, this way it "simulated" browser activity, and it works well and also plays well with passive federation (due to WS-TRUST envelope).
It needed to pass it first and then it connected to ACS.The problem wasn't in access token or SAML assertion at all. It was caused - as I've pointed out - by the fact that part of website was behind the custom STS federation. The WS Federation module was blocking reception of this token. When I enveloped it in RequestSecurityToken for WS Federation to chew on first. It then passed to ACS as presented in my question.
I'm trying to communicate with a web service that implements WS-Security with SOAP 1.1 and requires the client to sign both the body and the timestamp in the request. On the client-side, I'm using WCF and have no control over the service. The proxy interface has its ProtectionLevel.Sign-attributes where they should be.
The client is also required to negotiate the service certificate (TLS/SSL) and to validate the service signing certificate according to some custom rules.
So far, my best attempt to get a connection is with this binding:
var b = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
b.TextEncoding = new UTF8Encoding();
It results in the request below, where only the timestamp signed - not the body. The service responds that the signature is invalid.
I've tried using CustomBinding and the SecurityBindingElement.CreateCertificateOverTransportBindingElement-function to create a security element, but it yielded the same results.
Using the SecurityBindingElement.CreateMutualCertificateBindingElement-function, both the body and timestamp were signed, but now WCF required me to specify the service certificate, which should be negotiated during the TLS/SSL handshake.
The request:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2013-03-11T15:41:19.744Z</u:Created>
<u:Expires>2013-03-11T15:46:19.744Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..REMOVED..</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>z2Q9Bb/I1Mo7DJFZ3uXA42JSH0AJJguvIfnYMxlKBAg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>FgvpaSy+Zg3PHul6q2//Wc1lp+z+tuPCFKcLFp5edYvApb8yDwVDhuRuYPfn5K2TdGpQQekV095WZofIpIUV5aA+VBzf0/qVMP9hvOCqloyjJF3FWiMC829yFE8ePrYT3c1VXWSZi1172E7iRTNetz5ZmRYKAlcy6t7MaIq++q6MlM0gkK/w/W5qWVLIvopf2MQc+V+PBBmx7nWKGzF4SxIgdD4JeGOUzIND68OozBYD7jrvHLeYUjUzmBCkrLKm2bXDDksrV9rJHZdoizKrC7C59uRPh+gG5pl2pMLYtimFnwot3L4lvysBG0apAftxXat091c5a4JtKAvuDiWOFQ==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Request xmlns="http://theurltotheservice">
<Value>123456789</Value>
</Request>
</s:Body>
I have a wcf client where I am required to use both certificate and username security.
Within the header signature that I output, two reference elements exist. One maps (via URI) to the UsernameToken and my understanding is that the other reference element should map to the SecurityTokenReference, but it isn't.
The security section of my outgoing soap header is as follows
<o:UsernameToken u:Id="uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<o:Username>xxxxxxx</o:Username>
<o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile-1.0#PasswordText">xxxxxxx</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>FNjRLXvhojvaLY/4MhdtsK1cicE=</DigestValue>
</Reference>
<Reference URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ZhCGi22F57ASm5YGVjLxe/s5wyY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>CvxcSSur/epImkRyDh8AywiE3E6GabKzhQhGm/ISpHroWFEryIgpFCStZpGdvt6/QxXskgIiP39eQQILRm1CsTFBZkzP+mb1ktis2OlyiGOFfVNnOXVseOktMGt1WpeNlssFNk0prP9gy5EU3lWwxENvHFy8/IZZWCR8A4Cm+yA=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
You can see that one Reference URI maps to the Id of the UsernameToken, but the other Reference URI is #_1 when I am expecting it to be #uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3 (the URI of the SecurityTokenReference)
My code to create the custom binding is as follows
private System.ServiceModel.Channels.Binding GetBinding()
{
System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement();
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
asbe.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
asbe.IncludeTimestamp = false;
asbe.SetKeyDerivation(false);
asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15;
asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
CustomBinding myBinding = new CustomBinding();
myBinding.Elements.Add(asbe);
myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
httpsBindingElement.RequireClientCertificate = true;
myBinding.Elements.Add(httpsBindingElement);
return myBinding;
}
Does anyone know what config setting(s) I need to change to get the reference sucessfully mapping to the SecurityToken?
Just a note that this question is really a sub question of my main issue which I've detailed at How to make WCF Client conform to specific WS-Security - sign UsernameToken and SecurityTokenReference. It looks like signing the certificate is not something that can be done via ootb config or property settings, so the answer may lie in writing the signature block manually. This is what I'm looking at next.
Finally solved the issue which I've posted on the related question - How to make WCF Client conform to specific WS-Security - sign UsernameToken and SecurityTokenReference
I need in WCF ensure soap header like this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1D82AB9733B359236712457035776561"></wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1D82AB9733B359236712457035776562">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1D82AB9733B359236712457035776563">
<wsse:Reference URI="#CertId-1D82AB9733B359236712457035776561" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2009-06-22T20:46:17Z
</wsu:Created>
<wsu:Expires>2009-06-22T20:51:17Z
</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
where timestamp and body parts/elements will be digitally signed by directly referenced certificate included in message (BinarySecurityToken) and confidentiality will be ensured only on transport level by SSL(IIS hosted service). Currently Iam using classes TransportSecurityBindingElement and HttpsTransportBinding, but yet I can't gain soap header like I want... Problem is (according to message tracing) that in BinarySecurityToken element is missing attributes like id, EncodingType, ValueType and message body isn't signed (I set ProtectionLevel to Sign in contract)
So if someone have skills with this I will very appreciate.
This is a shot in the dark, since I don't know any WCF, but I do know SOAP message signing.
A must-have is an attribute "Id" or "wsu:Id" in your SOAP body element. The signature will use that Id as the reference for the data being signed. In the example you posted, this is being done on the wsu:Timestamp element -- it has an id of
wsu:Id="Timestamp-1"
And then the signature uses that as a reference:
<ds:Reference URI="#Timestamp-1">
And in the example the signature also references:
<ds:Reference URI="#id-3">
Which, I assume, is the id of the body of the example.
I'm not sure how your toolkit's API attaches Ids, but you'll definitely need it on anything you sign.
EncodingType and ValueType are a little trickier. I'm afraid I don't know that one off the top of my head. My temptation would be to try to get the Ids right and then see if it all falls into place. It might.