This is a duplicate question thatI posted in the old forum (
http://forums.microsoft.com/msdn/ShowPost.aspx?PostID=3508291&SiteID=1)
Iam in the process of developing an offline application and webservice for our client. Our client has a single sign on web application (not webservice). Using web requests from our application I am able to authenticate and strip out the SAML Response and import the nested SAML Assertion into the .Net SAML Assertion object. This is as far as I have got.
I have read the Microsoft article on creating a SAML Token Provider under their Security Extensibility Samples(
http://msdn.microsoft.com/en-us/library/aa355062.aspx) which states:
"
This sample shows how to build a custom token provider that allows a SAML token obtained from outside of the WCF client framework to be used."
I have downloaded the sample which works fine but as soon as I replace their SAML Assertion (I am signing the SAML Assertion with the same certificates the sample code)with mine it breaks. The following shows the SAML Assertions from mine and their code taken from the WCF trace log as well as the exception on the server.
My SAML Assertion
| <saml:AssertionMajorVersion="1"MinorVersion="1"AssertionID="_35572fa0-d93f-4154-ac62-e8a80aa7b55c"Issuer="urn:source-site"IssueInstant="2008-06-18T15:54:23.000Z"xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> |
| <saml:ConditionsNotBefore="2008-06-18T14:54:23.000Z"NotOnOrAfter="2008-06-18T16:54:23.000Z"></saml:Conditions> |
| <saml:AuthenticationStatementAuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"AuthenticationInstant="2008-06-18T15:54:23.000Z"> |
| <saml:Subject> |
| <saml:NameIdentifier> |
| <!--Removed--> |
| </saml:NameIdentifier> |
| <saml:SubjectConfirmation> |
| <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml:ConfirmationMethod> |
| </saml:SubjectConfirmation> |
| </saml:Subject> |
| </saml:AuthenticationStatement> |
| <saml:AttributeStatement> |
| <saml:Subject> |
| <saml:NameIdentifier> |
| <!--Removed--> |
| </saml:NameIdentifier> |
| <saml:SubjectConfirmation> |
| <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml:ConfirmationMethod> |
| </saml:SubjectConfirmation> |
| </saml:Subject> |
| <saml:AttributeAttributeName="FirstName"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="LastName"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="Email"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="Roles"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="AdditionalVariables"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="COMPANY"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="COUNTRY"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| <saml:AttributeAttributeName="GROUPS"AttributeNamespace="http://wibble.wobble.foo"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| </saml:AttributeStatement> |
| <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> |
| <SignedInfo> |
| <CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod> |
| <SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod> |
| <ReferenceURI="#_35572fa0-d93f-4154-ac62-e8a80aa7b55c"> |
| <Transforms> |
| <TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> |
| <TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform> |
| </Transforms> |
| <DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> |
| <DigestValue>iu0M33dKGm7SobDJW04kRK4J24g=</DigestValue> |
| </Reference> |
| </SignedInfo> |
| <SignatureValue>AaDxT3yeNEQOMjqHzok8LVsWgxSk6Rh69BXN/gOI7qLg9sq3khuJPCN2Z5gWSy2pb2acS9uo3k2wiyRHdXj6BBeLpqqhaip+Q1XeydWXHxXwbqVt2XuYKxw6xQWQ5RfQU4Ye5Qe0PAVno/Hvwcv53w6Tk0d3DtZO1akWzUpAsaM=</SignatureValue> |
| <KeyInfo> |
| <o:SecurityTokenReference> |
| <o:KeyIdentifierValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">3O94adHKU7nZLjDf1N3RcRvEpVk=</o:KeyIdentifier> |
| </o:SecurityTokenReference> |
| </KeyInfo> |
| </Signature> |
| </saml:Assertion> |
SAML Assertiongenerated bysample code
| <saml:AssertionMajorVersion="1"MinorVersion="1"AssertionID="_6d0d5060-35bf-43e7-97a6-d8bf6b7fed9f"Issuer="Self"IssueInstant="2008-06-18T15:53:20.029Z"xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> |
| <saml:ConditionsNotBefore="2008-06-18T15:53:20.029Z"NotOnOrAfter="2008-06-19T01:53:20.029Z"></saml:Conditions> |
| <saml:Advice></saml:Advice> |
| <saml:AttributeStatement> |
| <saml:Subject> |
| <saml:NameIdentifier> |
| <!--Removed--> |
| </saml:NameIdentifier> |
| <saml:SubjectConfirmation> |
| <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> |
| <KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#"> |
| <e:EncryptedKeyxmlns:e="http://www.w3.org/2001/04/xmlenc#"> |
| <e:EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> |
| <DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> |
| </e:EncryptionMethod> |
| <KeyInfo> |
| <o:SecurityTokenReference> |
| <o:KeyIdentifierValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">5kj0P0nAYVoZArc+F3ga7rUkxWw=</o:KeyIdentifier> |
| </o:SecurityTokenReference> |
| </KeyInfo> |
| <e:CipherData> |
| <e:CipherValue>mMlUF14mOrK2wUB5JDCkJ0jxT8E9/0uH6NevNwW9B6ClRcSrUKOA4eLjNOqCtpjWEGgivlEIUEbZhAEqRaxlN7VD7kQH+8I3FYHf9fsags85x3bdENfsypqSZcihcJllF6O9eBoOEBtVNBeEihc2aOL1588sAsWIAjqlVzx6Q4E=</e:CipherValue> |
| </e:CipherData> |
| </e:EncryptedKey> |
| </KeyInfo> |
| </saml:SubjectConfirmation> |
| </saml:Subject> |
| <saml:AttributeAttributeName="name"AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> |
| <saml:AttributeValue> |
| <!--Removed--> |
| </saml:AttributeValue> |
| </saml:Attribute> |
| </saml:AttributeStatement> |
| <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> |
| <SignedInfo> |
| <CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod> |
| <SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod> |
| <ReferenceURI="#_6d0d5060-35bf-43e7-97a6-d8bf6b7fed9f"> |
| <Transforms> |
| <TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform> |
| <TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform> |
| </Transforms> |
| <DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod> |
| <DigestValue>dXSAYD/bv7og75lUe1a2oW31/ZQ=</DigestValue> |
| </Reference> |
| </SignedInfo> |
| <SignatureValue>GqLfHC4RVkTyb9vyQ/tP38z1KmWOb4AhlSLHH0WFfAWJEcE89H/rbdIcf4TO1cxrOuKyrKLUEtsMiWTDcQHhjah0Gdc9xgOyBI11VhN2fA3C8TNZKzyHhZsKnYunFdXmH5W4W76e4xNK2+1o7gu25kQFMCKBao4XCUOLUY/PR/M=</SignatureValue> |
| <KeyInfo> |
| <o:SecurityTokenReference> |
| <o:KeyIdentifierValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">3O94adHKU7nZLjDf1N3RcRvEpVk=</o:KeyIdentifier> |
| </o:SecurityTokenReference> |
| </KeyInfo> |
| </Signature> |
| </saml:Assertion> |
Server exception
| <ExceptionType>System.IdentityModel.Tokens.SecurityTokenException,System.IdentityModel,Version=3.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089</ExceptionType> |
| <Message>TheAudienceUriintheSamlAssertioncannotbevalidated.Thiscanberesolvedbymakingconfigurationchangestothe'issuedTokenAuthentication'elementinthe'serviceBehaviors'section.Youcanaddvalidurisusingthe'allowedAudienceUris'element.Thischeckcanalsobechangedusingthe'audienceUriMode'attribute.AtruntimesettingtheIssuedTokenAuthenticationobject'sproperties:AllowedAudienceUrisandAudienceUriModewillhavesimilarresults.</Message> |
The exception on the server seems to be self explanatory but I don't fully understand it so if someone could either tell me what I am doing wrong or point me at some text which will explain how to change the config (and what the change actually does) I would be most grateful.
Bro Num
index > .NET Framework Networking and Communication > SAML Token Provider