 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2006Handling a token outside a WSSE header?
I am using an XML security gateway to dynamically add a SAML authentication token to the SOAP header as the message arrives. The difference b/w the way the gateway adds it and the way the STS QuickStart does it is that the gateway adds it to the SOAP header OUTSIDE the ws-security element, while the STS quickstart adds it to the ws-security element. Dirty diagram: WSE Client -- (signed request) -->Gateway (verifies authentication, adds SAML token) --> WSE Web Service (needs to obtain SAML token) For example, the gateway creates: <soap:Header> <saml:Assertion ... /> <wsse:Security ... /> </soap:Header> While the STS quick start creates: <soap:Header> <wsse:Security> <saml:Assertion .../> </wsse:Security> </soap:Header> It seems, from experience and by reading the <securityTokenManager><add/></securityTokenManager> documentation that WSE will only handle tokens wrapped inside the wsse:Security element. My web.config has the following, but the custom token manager is never invoked: <securityTokenManager> <add localName="Assertion" namespace="urn:oasis:names:tc:SAML:1.0:assertion" type="Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion.SamlTokenManager, Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion"/> </securityTokenManager> Here's a sample header that the g/w is creating for me, showing the SAML token outside the WS-security element: <soap:Header> <wsse:Security soap:mustUnderstand="1" ... > <!-- bunch of boring stuff --> </wsse:Security> <saml:Assertion AssertionID="id-c7f853799a470c7b6154298e4981cce9bb9d27a0" IssueInstant="2006-02-22T18:29:37.191Z" Issuer="http://www.forumsys.com/sentry" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2006-02-22T18:29:37.191Z" NotOnOrAfter="2006-02-22T18:39:37.191Z"/> <saml:AuthenticationStatement AuthenticationInstant="2006-02-22T18:29:37.191Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">dustin.breese@somewhere.com</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> </soap:Header> The only way I can see how we can process the g/w version above it to manually invoke my custom token manager inside a policy assertion by parsing the SAML token from the header manually. Am I correct in this understanding? Thanks in advance, Dustin Hi Dustin, Your approach is correct, a custom policy assertion is the only way to load the SAML token in that case. I am wondering why do you need to have the SAML token outside of the security element. Your solution won't interoperate well with other platforms, for example a Indigo service. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax >I am using an XML security gateway to dynamically add a SAML > authentication token to the SOAP header as the message arrives. The [quoted text clipped - 71 lines] > Thanks in advance, > Dustin Since we are using a g/w device, we are at the mercy of the vendor on this. I will speak with them and see if there is an alternative. I am able to parse the SAML token via the following code (I'm sure there's a better way of doing it!): SamlTokenManager stm = new SamlTokenManager(); XmlNodeList samlNodes = envelope.GetElementsByTagName("Assertion", "urn:oasis:names:tc:SAML:1.0:assertion"); IEnumerator snEnum = samlNodes.GetEnumerator(); snEnum.MoveNext(); XmlNode samlNode = (XmlNode)snEnum.Current; samlToken = (SamlToken)stm.LoadTokenFromXml((XmlElement)samlNode); However, now the SamlToken class which comes with the STS Quick Start is complaining that the signature doesn't exist when it does the following in the SamlToken.VerifyTokenSignature() method: _signingToken = SecurityTokenManager.GetTokenFromKeyInfo(signedXml.KeyInfo); I'll keep playing around. I think the next layer of the "onion" is to understand what the GetTokenFromKeyInfo() is attempting to do. Thanks, Dustin Hi Dustin, I can see the problem, the SAML token doesn't contain the signature created by the STS. > Here's a sample header that the g/w is creating for me, showing the > SAML token outside the WS-security element: [quoted text clipped - 24 lines] > </saml:Assertion> > </soap:Header> It should have a Signature element after the AuthenticationStatement element. Perhaps, you forgot to include that part in the message before sending it to the service. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax > Since we are using a g/w device, we are at the mercy of the vendor on > this. I will speak with them and see if there is an alternative. [quoted text clipped - 24 lines] > Thanks, > Dustin Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.