Hi,
I want to use Geneva Server as resource STS, so I try to authenticate by sending an issued token. For testing purposes, I use my Geneva Server instance(named "idp")as IdP and resource STS at the same time, so what I actually want to do is getting a token from idp and using this token as authentication in another request to idp. For this purpose, I derived from WSTrustClient:
class FedWSTrustClient : WSTrustClient
{
SecurityToken intermediateToken;
public FedWSTrustClient(Binding b, EndpointAddress ea, SecurityToken st)
: base(b, ea)
{
intermediateToken = st;
}
protected override IWSTrustContract CreateChannel()
{
if (intermediateToken == null)
{
return base.CreateChannel();
}
else
{
IWSTrustContract channel;
lock (this.ChannelFactory)
{
ChannelFactoryOperations.ConfigureChannelFactory<IWSTrustContract>(this.ChannelFactory);
channel = this.ChannelFactory.CreateChannelWithIssuedToken<IWSTrustContract>(intermediateToken);
}
return channel;
}
}
}
Gettinga token from idp with un/pw authentication works flawlessly, proof key is symmetric.Then I try to send this token to idp using FedWSTrustClient:
SecurityToken intermediateToken = GetBootstrapToken();
WS2007HttpBinding binding = new WS2007HttpBinding();
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType = MessageCredentialType.IssuedToken;
EndpointAddress endpoint = new EndpointAddress("https://idp.geneva.local/Trust/13/IssuedTokenMixedSymmetricBasic256");
FedWSTrustClient client = new FedWSTrustClient(binding, endpoint, intermediateToken);
client.ClientCredentials.ClientCertificate.Certificate = CertificateUtility.GetCertificate(/*certificate of computer*/);
client.ClientCredentials.ServiceCertificate.DefaultCertificate = CertificateUtility.GetCertificate(/*idp signing certificate*/);
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
client.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
RequestSecurityToken rst = new RequestSecurityToken();
rst.AppliesTo = new EndpointAddress("http://sp/activerp");
rst.RequestType = RequestTypeConstants.Issue;
var delegatedToken = client.Issue(rst);
At this point, an exception is thrown:
The message with Action 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT' cannot be processed at the receiver, due to a ContractFilter mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver) or a binding/security mismatch between the sender and the receiver. Check that sender and receiver have the same contract and the same binding (including security requirements, e.g. Message, Transport, None).
Switching security mode to message (and changing the endpoint accordingly) seems to be impossible either:
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via
Maybe I'm missing something fundamental. Why does the client have to authenticate by certificate? Why not use proof-of-possession? Can anybody help me out or just post sample code?
Regards,
Holger Kuehner
index > Claims based access platform (CBA), code-named Geneva > Geneva Server as R-STS and WSTrustClient