I want to send SOAP request from WebClient to WCF service. With setting security mode="None", it works correctly.
But if I used Message security mode, it failed, I have tried to add username and password in WebClient, but it did not work. Could I send SOAP from webclient to wcf service when WCF use message security?
Here is web.config
<wsHttpBinding>
<binding name="wsConfigSection">
<security mode="None"></security>
</binding>
And here is webclient.
WebClient myWebClient = new WebClient();
myWebClient.Headers.Add("Content-Type", "application/soap+xml; charset=utf-8");
//myWebClient.UseDefaultCredentials = true;
myWebClient.Credentials = new NetworkCredential(#"domain\username","password");
myWebClient.Headers.Add("SOAPAction", "\"http://tempuri.org/ICalculator/Add\"");
var response = myWebClient.UploadString(endpoint, payload);
Console.WriteLine(response);
Best Regards,
Edward
The security info usually contained in the header of request body. The header is not HTTP HEADER, it's SOAP request header, which is part of HTTP BODY.
Depend on the actual security binding you are using, you should set the security header with the correct value, and send SOAP HEADER with SOAP BODY together in the HTTP BODY.
This is one sample soap request (not valid, just for example):
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-11465961">xxx</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#id-533766178">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>xxx</ds:DigestValue>
</ds:Reference>
<ds:Reference >
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>xxx</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-944359288">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>xxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxx
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1977405101">
<wsse:SecurityTokenReference>
<wsse:Reference></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
</soap:Body>
</soap:Envelope>
You can see there's in the soap:Header, that should be the place you put something. and sent within the HTTP body.
Related
I'm trying to integrate OpenAM Saml SSO to my .net 5 application. ITfoxtec.Saml2 is used to handle the authentication on the SP.
When trying to login, a valid post samlResponse is send. But when validating the response, I get following exception.
ERROR|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request. ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
Confirmed that the signature Algorithm is correct (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
When manually verifying the saml response (via browser plugin SAML Chrome Panel), I noticed some encoding issues at the signature & certificate. Our admin also confirmed openAM encoding config is set to utf-8.
Is there anything that I am missing?
Request:
<saml2p:AuthnRequest
Destination="..."
ID="_b8fad14a-506b-4496-aa35-f09c4174e76f" IssueInstant="2021-10-25T12:59:21.212Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>...</saml2:Issuer></saml2p:AuthnRequest>
Response:
<samlp:Response Destination="..."
ID="s2b5ecaf8f0265680dc4dcdd853678d3fb0fae7410" InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
IssueInstant="2021-10-25T12:59:21Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">...</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion ID="s21d821b22e63d329f2ae5284b1dcfab415b825ebf" IssueInstant="2021-10-25T12:59:21Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>...</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#s21d821b22e63d329f2ae5284b1dcfab415b825ebf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DUXzMtgGm0bCJD88pdxmElxNsxs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGKlcZKLqzLL2MxNld4/4lGC8C/p2AULruK+HIha8sGvdEnU4zvdYhC701q6LpjHLwKLVcwgv+pG
ATzkzIZDmZ6SzXljQXtOwTwy4yT7gblbnL4W3gEqxceDtxs4MDjNQ+k/bJQlD32egA+ThteJyNby
Cztkf8LR2S5MLCyDjPX93DgQ97zo+tr4vUsIlExK2MiQQlTNBgvR0tZqvvTAOCva20dBacc5FaW+
qmUe7+lPeRzCnWp1Lag2KpSIJs7Uuc/Tp3uHw9Jys/g+ZYRQLESRpGEiPNLB602CMF4a8xOMUdlz
VUW5ECdywnnrZfVdJmKcPg725YJVmUGzS6K1QA==
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsT
Bk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQK
EwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFw
jwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wz
lE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/
ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eL
FootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8w
HQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2i
dv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukj
IzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119
IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlG
o99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV3
1sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="...">zC7qyfpyMwFtp24en9Y97+hEEptH</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
NotOnOrAfter="2021-10-25T13:09:21Z" Recipient="..."/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-10-25T12:49:21Z" NotOnOrAfter="2021-10-25T13:09:21Z">
<saml:AudienceRestriction>
<saml:Audience>...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-10-25T12:18:36Z"
SessionIndex="s27d56759d777a5ce71e5b97601c1563c4137ced01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion></samlp:Response>
Metadata:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="http://devopenam02.dev.coteng.com:8080/OpenAM-14.6.2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
</IDPSSODescriptor>
</EntityDescriptor>
The ITfoxtec Identity Saml2 package do not read the IdP signing certificate in the EntityDescriptor/KeyDescriptor element, the element is not supported.
The IdP certificate is read in the EntityDescriptor/IDPSSODescriptor/KeyDescriptor element.
Valid IdP metadata sample for the TestIdPCore sample:
Best regards felas
I'm trying to access web service methods wich receive a signed XML as a parameter, using VB.NET and Framework 4.5. it happens that Web Service uses WS-Authentication with BinarySecurityToken schema, I managed to generate a resquest from SOAP UI and it works just fine, here's the request's XML:
base64binary-Token
base64binary-DigestValue
base64Binary-SignatureValue
HERE GOES XML DATA BETWEEN CDATA TAGS
I've been doing a lot of research and found that this can be done "easily" with WCF, but I can quite find how this WCF binding works and how I must pass my XML data so it can be wrapped into the SOAP envelope's body with propper security elements.
The code's I've examined look very complex for me since the just use base class that I can figure out where came from. I'd like to generate the code to cosume the WS without adding references but rather using http requests as this guy does here:
http://www2.sys-con.com/ITSG/virtualcd/WebServices/archives/0208/thota/index.html
I'd appreciate any help, and thanks in advance for any help!
I didn't realize about the XML code, so, here's the SOAP Message XML code
<soapenv:Envelope xmlns:dgi="http://dgi.gub.uy" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-B1784C762113654DB514508130204461">base64binary-Token</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-B1784C762113654DB514508130206685" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dgi soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-B1784C762113654DB514508130206654">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dgi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>base64binary-DigestValue</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>base64Binary-SignatureValue</ds:SignatureValue>
<ds:KeyInfo Id="KI-B1784C762113654DB514508130206312">
<wsse:SecurityTokenReference wsu:Id="STR-B1784C762113654DB514508130206463">
<wsse:Reference URI="#X509-B1784C762113654DB514508130204461" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-B1784C762113654DB514508130206654" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<dgi:WS_eFactura.EFACRECEPCIONSOBRE>
<dgi:Datain>
<dgi:xmlData>HERE GOES XML DATA BETWEEN CDATA TAGS</dgi:xmlData>
</dgi:Datain>
</dgi:WS_eFactura.EFACRECEPCIONSOBRE>
</soapenv:Body>
</soapenv:Envelope>
Description: I have a .NET 4.5 WCF client and I neeed to consume a Java-based web service using SOAP. The client has to authenticate using a client certificate at the transport level. The message body has to be signed using a separate signing certificate. I've implemented a CustomBinding object trying all combinations of binding objects that make sense for my case... still no luck. Here is the post I got the idea for the CustomBinding from.
This is the code that generates a SOAP request (the CustomCredentials implementation is provided from Jawad, see the link with his post at the bottom) that is closest to the working request I got from the web service provider:
public static MyClient CreateProxy()
{
EndpointAddress epa = new EndpointAddress(new Uri("https://www.webservice-url/Server20/ID"), EndpointIdentity.CreateDnsIdentity("Certificate_Issuer_Name"), new AddressHeaderCollection());
MyClient proxy = new MyClient(GetCustomBinding(), epa);
proxy.Endpoint.EndpointBehaviors.Remove(typeof(ClientCredentials));
CustomCredentials myCredentials = new CustomCredentials(GetClientAuthenticationCert(), GetSigningCertificate());
proxy.Endpoint.EndpointBehaviors.Add(myCredentials);
proxy.Endpoint.Contract.ProtectionLevel = ProtectionLevel.Sign;
return proxy;
}
private static Binding GetCustomBinding()
{
TransportSecurityBindingElement tsElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
tsElement.SetKeyDerivation(false);
tsElement.AllowInsecureTransport = true;
X509SecurityTokenParameters tokenParams = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
tokenParams.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
tsElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(tokenParams);
tsElement.EnableUnsecuredResponse = true;
tsElement.IncludeTimestamp = true;
TextMessageEncodingBindingElement tmElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, System.Text.Encoding.UTF8);
HttpsTransportBindingElement httpsElement = new HttpsTransportBindingElement();
httpsElement.RequireClientCertificate = true;
CustomBinding customBinding = new CustomBinding();
customBinding.Elements.Add(tsElement);
customBinding.Elements.Add(tmElement);
customBinding.Elements.Add(httpsElement);
return customBinding;
}
The generated SOAP request looks like this:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://bsi.bund.de/eID/useID</a:Action>
<a:MessageID>urn:uuid:288e93bd-b004-42e7-b49c-00f1a315cd29</a:MessageID>
<a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDP/Eczn0ACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_1">https://test.governikus-eid.de:8444/eID-Server-20/eID</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-08-25T13:48:07.634Z</u:Created>
<u:Expires>2014-08-25T13:53:07.634Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken><!--Removed--></o:BinarySecurityToken>
<o:BinarySecurityToken><!--Removed--></o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>BMfUzgz9+cG6FgNeljlm4T9v5Y0=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>TM59Or2Dn8j6oddZ/HE7viskDVg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>bQAoFq3VNK2GCxM9iM0ZLlvFZxxMLaH7E5Ch12X...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-4432a63d-068b-4627-bbb3-2bc94d016357-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<useIDRequest xmlns="http://bsi.bund.de/eID/">
<UseOperations>
<GivenNames>REQUIRED</GivenNames>
<FamilyNames>REQUIRED</FamilyNames>
<Nationality>REQUIRED</Nationality>
</UseOperations>
<AgeVerificationRequest>
<Age>18</Age>
</AgeVerificationRequest>
<PlaceVerificationRequest></PlaceVerificationRequest>
</useIDRequest>
</s:Body>
</s:Envelope>
And here is how the SOAP request should look like:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<S:Header>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns15="http://www.w3.org/2003/05/soap-envelope" xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" wsu:Id="_3">
<wsu:Created>2014-08-22T09:22:48Z</wsu:Created>
<wsu:Expires>2014-08-22T09:27:48Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ns15="http://www.w3.org/2003/05/soap-envelope" xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" Id="_1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xhfeoN1hwzzG6xj53QP4Y/waCm4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eNvJUyyQU/GRCS1V0tdoNzy8IHY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>KpzOsC/5r3UjKcOHx2l...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=DE,ST=bremen,L=bremen,O=bos,OU=test,CN=demo_epa</ds:X509IssuerName>
<ds:X509SerialNumber>124466</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body wsu:Id="_5002">
<ns4:useIDRequest xmlns:ns2="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://bsi.bund.de/eID/" xmlns:ns5="http://www.w3.org/2001/04/xmlenc#\
" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="urn:oasis:names:tc:SAML\:1.0:assertion">
<ns4:UseOperations>
<ns4:GivenNames>REQUIRED</ns4:GivenNames>
<ns4:FamilyNames>REQUIRED</ns4:FamilyNames>
</ns4:UseOperations>
</ns4:useIDRequest>
</S:Body>
</S:Envelope>
The main difference I see is that I don't have X509Data in the SecurityTokenReference tag, but only a reference.
So, what am I doing wrong? Is the missing X509Data tag in the request the key to the problem? If yes, how can I add this information there?
I'm trying to add the saml 2.0 assertion node from the soap header example below - I came across the samlassertion type in the .net framework but that looks like it is only for saml 1.1.
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">https://rs1.greenwaymedical.com:8181/CONNECTGateway/EntityService/NhincProxyXDRRequestSecured</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">tns:ProvideAndRegisterDocumentSet-bRequest_Request</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:662ee047-3437-4781-a8d2-ee91bc940ef0</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns16="http://www.w3.org/2003/05/soap-envelope"
wsu:Id="_1">
<wsu:Created>2010-05-26T03:51:57Z</wsu:Created>
<wsu:Expires>2010-05-26T03:56:57Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="bd1ecf8d-a6d8-488d-9183-a11227c6a219"
IssueInstant="2010-05-26T03:51:57.959Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>p4jUkEUg..gwO7U=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z"
SessionIndex="987">
<saml2:SubjectLocality Address="158.147.185.168"
DNSName="cs.myharris.net"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">2.2</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">2.16.840.1.113883.3.441</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
code="307969004"
codeSystem="2.16.840.1.113883.6.96"
codeSystemName="SNOMED_CT"
displayName="Public Health"
xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
<saml2:AttributeValue>
<hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
code="PUBLICHEALTH"
codeSystem="2.16.840.1.113883.3.18.7.1"
codeSystemName="nhin-purpose"
displayName="Use or disclosure of Psychotherapy Notes"
xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">500000000^^^&1.1&ISO</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit"
Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9"
IssueInstant="2009-04-16T13:10:39.093Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z"
NotOnOrAfter="2009-12-31T12:00:00.000Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy"
NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy"
NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ns7="http://www.w3.org/2001/XMLSchema"
ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#bd1ecf8d-a6d8-488d-9183-a11227c6a219">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ONbZqPUyFVPMx4v9vvpJGNB4cao=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Dm/aW5bB..pF93s=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>p4jUkEU..bzqgwO7U=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns16="http://www.w3.org/2003/05/soap-envelope"
Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
<Include xmlns="http://www.w3.org/2004/08/xop/include"
href="cid:67585ea9-1bec-46d3-a49f-95c8d0334ead#example.jaxws.sun.com"/>
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
<Include xmlns="http://www.w3.org/2004/08/xop/include"
href="cid:cc7fbcca-b325-4265-a10e-76982b2c7bf7#example.jaxws.sun.com"/>
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">bd1ecf8d-a6d8-488d-9183-a11227c6a219</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
I've been researching for days and cannot seem to come up with a straightforward way of doing this in WCF. The web service is running on Glassfish and is soap 1.1, I've tried using all the packaged wcf bindings but have not been able to get them to work. I started down the path of using a MessageInspector, and wrote one but then realized there must be a better way, surely WCF provides some way to insert saml 2.0 assertions. I've made the most progress writing a custom binding - i've been able to get the timestamp and signature nodes in the soap header, but cannot for the life of me figure out the saml assertion. Any ideas?
public static System.ServiceModel.Channels.Binding BuildCONNECTCustomBinding()
{
TransportSecurityBindingElement transportSecurityBindingElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
TextMessageEncodingBindingElement textMessageEncodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, System.Text.Encoding.UTF8);
HttpsTransportBindingElement httpsTransportBindingElement = new HttpsTransportBindingElement();
SecurityTokenReferenceType securityTokenReference = new SecurityTokenReferenceType();
BindingElementCollection bindingElementCollection = new BindingElementCollection();
bindingElementCollection.Add(transportSecurityBindingElement);
bindingElementCollection.Add(textMessageEncodingBindingElement);
bindingElementCollection.Add(httpsTransportBindingElement);
CustomBinding cb = new CustomBinding(bindingElementCollection);
cb.CreateBindingElements();
return cb;
}
Although I'm not at the full solution yet I believe I have found the right path to take. I need to create a custom security token by following this Microsoft documentation. I'm starting a list of links below that I have found helpful in hopes they provide guidance to others facing the same challenge.
Reference Links:
.NET SAML 2.0 implementation.
How to use SAML 2.0 Assertions with WS2007HttpBinding (i.e. without relying on a Security Token Service to provide tokens)?
WCF Authentication with custom ClientCredentials: What is the clientCredentialType to use?
Need advise on how to sign request's soap body using WCF
Check WIF (Windows identity foundation). It supports SAML 2.0 tokens and it should be able to integrate with WCF.
I need in WCF ensure soap header like this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1D82AB9733B359236712457035776561"></wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1D82AB9733B359236712457035776562">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1D82AB9733B359236712457035776563">
<wsse:Reference URI="#CertId-1D82AB9733B359236712457035776561" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2009-06-22T20:46:17Z
</wsu:Created>
<wsu:Expires>2009-06-22T20:51:17Z
</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
where timestamp and body parts/elements will be digitally signed by directly referenced certificate included in message (BinarySecurityToken) and confidentiality will be ensured only on transport level by SSL(IIS hosted service). Currently Iam using classes TransportSecurityBindingElement and HttpsTransportBinding, but yet I can't gain soap header like I want... Problem is (according to message tracing) that in BinarySecurityToken element is missing attributes like id, EncodingType, ValueType and message body isn't signed (I set ProtectionLevel to Sign in contract)
So if someone have skills with this I will very appreciate.
This is a shot in the dark, since I don't know any WCF, but I do know SOAP message signing.
A must-have is an attribute "Id" or "wsu:Id" in your SOAP body element. The signature will use that Id as the reference for the data being signed. In the example you posted, this is being done on the wsu:Timestamp element -- it has an id of
wsu:Id="Timestamp-1"
And then the signature uses that as a reference:
<ds:Reference URI="#Timestamp-1">
And in the example the signature also references:
<ds:Reference URI="#id-3">
Which, I assume, is the id of the body of the example.
I'm not sure how your toolkit's API attaches Ids, but you'll definitely need it on anything you sign.
EncodingType and ValueType are a little trickier. I'm afraid I don't know that one off the top of my head. My temptation would be to try to get the Ids right and then see if it all falls into place. It might.