Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / July 2006

Tip: Looking for answers? Try searching our database.

Using WSE 3.0 SAML Quickstart w/o Installing Certs

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ian Pitt - 20 Jul 2006 18:28 GMT
I've set up the SAML STS Quickstart to have the Token Issuer server use
Username & Password over SSL.  The SampleService still uses the SAML token
returned by the Token Issuer.

I did this so as to avoid installing x509 certificates on the client's
machine.

However, it does not seem to work.  It appears that the SamlAssertion
routines require the 'SAML Authority' certificate to be present in the Local
Machine store.

Is there any ways to workaround this?  Preferrebly not requiring the clients
to install any certificate.

Or, is there a way to install the certificate easily using ClickOnce, since
that is how I'm distributing the client software?

Regards,
Ian

Signature

Ian Pitt
Cogent Data Systems
201-652-2727
www.CogentDataSystems.com

Reply to this Message
Pablo Cibraro - 21 Jul 2006 15:53 GMT
Hi Ian,

You are right, the SAML authority certificate is required because the client
verifies the signature in the SAML token using that certificate. (To verify
that the token comes from the right STS and nobody tampered it).

1. Modify the SAML quickstart code to avoid the signature verification on
the client (The validation will be performed on the service anyway).
2. This approach does not work if you are using the SAML token to encrypt or
sign the messages (You will have to use SAML token over SSL). You can remove
the SAML token manager definition from the client configuration file, so the
client will see the SAML token as an opaque token (IssuedToken) and no
validations will be performed.

Sorry, I am not sure how to deploy certificates with ClickOnce.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> I've set up the SAML STS Quickstart to have the Token Issuer server use
> Username & Password over SSL.  The SampleService still uses the SAML token
[quoted text clipped - 18 lines]
> Regards,
> Ian
Reply to this Message
Ian Pitt - 25 Jul 2006 19:02 GMT
Thx for your reply.

1. If I implemented option 1, I take it I would have to maintain two
separate code bases for the SAML routines.  Since both the client and
service seem to call into the same routines.  Is that correct?  Or, would it
be possible to somehow identify who is calling?

2. If I remove the SAML info from the config file for the client, how will
it be able to communicate with the Service?  Since the Service is expecting
a SAML token.

Finally, I did manage to deploy the certificate by building a Custom
Prerequisite for ClickOnce.  It works if the user clicks install on the
publish.htm page and if they have admin access since the certificate needs
to be installed in the Local Machine store.

Which brings up another issue, why isn't the certificate looked for in the
Current User store?

> Hi Ian,
>
[quoted text clipped - 38 lines]
> > Regards,
> > Ian
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.