 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2006WSE3 SAML Getting Principal/Identity from service
I've implemented the SAML token service according to the STS SAML quickstart, and I've got my STS working and services secured properly. I'm curious as to how I can retrieve my principal and roles from the secured service itself. All references to principal are null, I've checked in the IdentityToken (which is a SecurityContextToken) and the Security.Elements MessageSignature. Is there a step I'm missing here to pull back the principal? Thanks much, Max Newbould Hi Max, The base token for the SecurityContextToken should be a SAML token and the SAML should contain a Principal. Could you confirm that ? Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > I've implemented the SAML token service according to the STS SAML > quickstart, and I've got my STS working and services secured properly. [quoted text clipped - 6 lines] > Thanks much, > Max Newbould Hi Pablo, Thanks for replying. Here's what I'm getting from the secured service end: ? RequestSoapContext.Current.IdentityToken {Microsoft.Web.Services3.Security.Tokens.SecurityContextToken} [Microsoft.Web.Services3.Security.Tokens.SecurityContextToken]: {Microsoft.Web.Services3.Security.Tokens.SecurityContextToken} AttachedReference: {System.Security.Cryptography.Xml.KeyInfo} Id: "SecurityToken-a86ef263-7f67-4353-b886-c7a39a1af7a4" Identity: null IsCurrent: true IsExpired: false Key: {Microsoft.Web.Services3.Security.Cryptography.AES256} KeyIdentifier: null Principal: null RequiresRenewal: false SupportsDataEncryption: true SupportsDigitalSignature: true TokenType: "http://schemas.xmlsoap.org/ws/2005/02/sc/sct" UnattachedReference: {System.Security.Cryptography.Xml.KeyInfo} (The following fails even with casting IdentityToken to SecurityContextToken) ? RequestSoapContext.Current.IdentityToken.BaseToken == null 'Microsoft.Web.Services3.Security.Tokens.SecurityToken' does not contain a definition for 'BaseToken' ? ((MessageSignature)RequestSoapContext.Current.Security.Elements[1]).SigningToken {Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken} [Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken]: {Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken} AttachedReference: {System.Security.Cryptography.Xml.KeyInfo} Id: "SecurityToken-65dd12c3-97c7-49e3-a29e-00bb1314012a" Identity: null IsCurrent: true IsExpired: false Key: {Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken.Psha1SymmetricKeyAlgorithm} KeyIdentifier: null Principal: null RequiresRenewal: false SupportsDataEncryption: false SupportsDigitalSignature: true TokenType: "http://schemas.xmlsoap.org/ws/2005/02/sc/dk" UnattachedReference: null > Hi Max, > The base token for the SecurityContextToken should be a SAML token and the [quoted text clipped - 16 lines] > > Thanks much, > > Max Newbould I think it must be a bug when you enable secure conversation between the client and the service. Regards, Pablo. > Hi Pablo, > Thanks for replying. [quoted text clipped - 68 lines] >> > Thanks much, >> > Max Newbould If such a bug exists, it would seem the SAML STS QuickStart would be mostly useless. I'm sure someone would have required roles and identity to be checked on the service end... Hi, Yes, it is a bug. I can give you a quick fix to solve that problem. You have to add a line to this method "ServiceInputClass.ValidateMessageSecurityMethod()" (PolicyAssertion.cs). Replace the following lines of code : if (!trusted) { throw new InvalidOperationException(Resources.UntrustedSTS); } envelope.Context.OperationState.Set(samlToken); envelope.Context.IdentityToken = samlToken; By: if (!trusted) { throw new InvalidOperationException(Resources.UntrustedSTS); } envelope.Context.Credentials.UltimateReceiver.SetClientToken<SamlToken>(samlToken); //Added this line envelope.Context.OperationState.Set(samlToken); envelope.Context.IdentityToken = samlToken; Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > If such a bug exists, it would seem the SAML STS QuickStart would be > mostly useless. I'm sure someone would have required roles and > identity to be checked on the service end... Awesome Pablo! I appreciate your time and have found your blog useful in researching this implementation. I'll give it a crack and let you know. Cheers, Max Excellent, I've got my proof of concept working to present this afternoon. Can't thank you enough for your help. Cheers
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.