index > Claims based access platform (CBA), code-named Geneva > Capture the STS response

Capture the STS response

Is there a way I can capture the unencrypted response in the STS?

I am trying to log all requests and responses with the STS, however I can only manage to capture the encrypted response which is meaningless for me.

I need a hook up point that I can override to get a copy of the response before being encrypted by the RP public key.

Jimmy Q

I often use this base class - should give you the idea:

public abstract class MonitoredSecurityTokenService : idfx.SecurityTokenService
{
    public MonitoredSecurityTokenService(SecurityTokenServiceConfiguration configuration)
        : base(configuration)
    { }

    protected virtual void OnRst(XElement rst) { }
    protected virtual void OnRstr(XElement rstr) { }
    protected virtual void OnIssuedToken(XElement issuedToken) { }

    protected override RequestSecurityTokenResponse GetResponse(RequestSecurityToken request, SecurityTokenDescriptor tokenDescriptor)
    {
        var response = base.GetResponse(request, tokenDescriptor);

        // see if token is an EncryptedSecurityToken ...
        EncryptedSecurityToken est = tokenDescriptor.Token as EncryptedSecurityToken;
        SecurityToken st;

        if (est != null)
        {
            // if so, use inner token
            st = est.Token;
        }
        else
        {
            // if not, use the token directly
            st = tokenDescriptor.Token;
        }

        SecurityTokenSerializer ser = new SecurityTokenSerializerAdapter(
            this.SecurityTokenServiceConfiguration.SecurityTokenHandlers);

        XElement token = new XElement("IssuedToken");
        XmlWriter xw = token.CreateWriter();
        ser.WriteToken(xw, st);
        xw.Close();

        try
        {
            // do monitoring callbacks
            OnRst(XElement.Parse(SerializeRequest(request)));
            OnRstr(XElement.Parse(SerializeResponse(response)));
            OnIssuedToken(token);
        }
        catch
        { }

        return response;
    }

    private string SerializeRequest(RequestSecurityToken request)
    {
        var serializer = new WSTrust13RequestSerializer();
        WSTrustSerializationContext context = new WSTrustSerializationContext();
        StringBuilder sb = new StringBuilder();
        using (var writer = new XmlTextWriter(new StringWriter(sb)))
        {
            serializer.WriteXml(request, writer, context);
            return sb.ToString();
        }
    }

    private string SerializeResponse(RequestSecurityTokenResponse response)
    {
        var serializer = new WSTrust13ResponseSerializer();
        WSTrustSerializationContext context = new WSTrustSerializationContext();
        StringBuilder sb = new StringBuilder();
        using (var writer = new XmlTextWriter(new StringWriter(sb)))
        {
            serializer.WriteXml(response, writer, context);
            return sb.ToString();
        }
    }
}

Dominick Baier | thinktecture | http://www.leastprivilege.com

Dominick Baier

thanks Dominick

I have gotten that far myself, however the serialised token is encrypted for the RP.
What I need is to get the constructed response before Geneva encrypts it for the RP.

Is this possible?

Jimmy Q

Using your code fragment, I get an "This XmlWriter does not support base64 encoded data." when it calls the WriteToken method.

Jimmy Q

The STS creates encrypted responses by wrapping the output of Saml11/Saml2SecurityTokenHandler.WriteToken in EncryptedSecurityToken.WriteToken. In both handlers, the serialization takes place in WriteAssertion.

You can derive your own Saml handler from one or both of these and override the WriteAssertion method to serialize a second time to your log file. This has performance implications, but I assume your interest here is for debugging.

If you aren't interested in the actual XML, you could also override WriteToken and capture whatever you want from the binary token.

Peter Kron - MSFT

You can use google to search for other answers

Custom Search

More Threads

• Same cards at same time from two different PCs.

• SOLVED: Web services federation with Geneva Server Beta 2

• Identity Training Kit

• How to setup SQL server as an attribute store

• How do i get the Federation Utility for Web Application Project or Claim Aware Web Application Project Template

• Convert Token Types

• Error MSIS7042

• what happened to FederatedClientCredentials.ConfigureChannelFactory

• How can I 'EXCLUDE' `anonymous-namespace' when using vsinstr.exe to intrument my executable?

• Relying Party (Passive) / SecurityTokenException?