PingFederateKerberosWSTrustSTS.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net;
using System.Threading.Tasks;
using System.Collections.Specialized;
using System.IO;
using System.Web.Script.Serialization;

using System.Security.Principal;

using System.ServiceModel;
using System.ServiceModel.Security;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;

using System.IdentityModel;
using System.IdentityModel.Configuration;
using System.IdentityModel.Metadata;
using System.IdentityModel.Protocols.WSTrust;
using System.IdentityModel.Tokens;

using Microsoft.IdentityModel.Protocols.WSTrust.Bindings;
using Microsoft.IdentityModel.Protocols.WSTrust;

using System.ServiceModel.Dispatcher;

using WSTrustChannelFactory = System.ServiceModel.Security.WSTrustChannelFactory;
using RequestSecurityToken = System.IdentityModel.Protocols.WSTrust.RequestSecurityToken;
using WSTrustChannel = System.ServiceModel.Security.WSTrustChannel;


namespace SAML_Example
{
    class SAML_Example
    {
        static void Main(string[] args)
        {
            var appliesTo = "https://epbyminw1035t1";
            var dmsPath = "/api/v1/session/saml-login";
            var relyingpartyEndpoint = appliesTo + dmsPath;

            try
            {
                string samlToken = GetSamlClaimWSTrustKRB(appliesTo);
                Console.WriteLine(samlToken);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }

        public static string GetSamlClaimWSTrustKRB(string appliesTo)
        {
            // Allow all certificates
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

            //var endpointAddress = "https://adfs.cluster.dom/adfs/services/trust/13/kerberosmixed";
            var endpointAddress = "https://ping.cluster.dom:9031/idp/sts.wst?TokenProcessorId=Kerberos";

            EndpointAddress ep = new EndpointAddress(new Uri(endpointAddress));

            //Establish the Kerberos Binding for WS-Trust messaging
            KerberosWSTrustBinding binding = new KerberosWSTrustBinding()
            {
                SecurityMode = SecurityMode.TransportWithMessageCredential,
                TrustVersion = TrustVersion.WSTrust13,
                EnableRsaProofKeys = false
            };

            WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, ep);

            factory.Credentials.Windows.ClientCredential.UserName = "username";
            factory.Credentials.Windows.ClientCredential.Password = "password";
            factory.Credentials.Windows.ClientCredential.Domain = "cluster.dom";
            factory.Credentials.SupportInteractive = false;

            WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel();

            var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(appliesTo), KeyType = KeyTypes.Bearer };

            rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.Saml2TokenProfile11;

            try
            {
                Console.WriteLine("Attempting to retrieve SAML assertion");
                GenericXmlSecurityToken token = channel.Issue(rst) as GenericXmlSecurityToken;
                Console.WriteLine("Successfully retrieved SAML assertion");

                return token.TokenXml.OuterXml;
            }
            catch (Exception ex)
            {
                Console.WriteLine("Exception: " + ex.Message);
                Console.WriteLine("Exception: " + ex.InnerException);
                throw ex;
            }
            finally
            {
                factory.Close();
            }
        }
    }
}

The response is:

HTTP/1.1 401 HTTP Basic Authentication Required
Date: Thu, 04 May 2017 11:22:17 GMT
Content-Security-Policy: referrer origin
WWW-Authenticate: Basic realm="PingFederate"
Content-Type: text/html;charset=utf-8
Cache-Control: must-revalidate,no-cache,no-store
Set-Cookie: PF=7aswVjz9EXgo7BssGKZnmU;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 1817
Connection: close

<title>Error</title>

<!-- 
 if there is a logo present in the 'company-logo' container,
 then 'has-logo' class should be added to 'ping-header' container.
 -->
<div class="ping-header">
    <span class="company-logo"><!-- client company logo here --></span>
    Error
</div><!-- .ping-header -->

<div class="ping-body-container">
    <div class="section-title">
        Oops
    </div>
    <div class="ping-messages ping-nopad">
        <div>
            Looks like something is not right. Please contact your administrator.
        </div>
        <div class="ping-note-text">
            401 - HTTP Basic Authentication Required
        </div>
    </div>
</div> <!-- .ping-body-container -->

<div class="ping-footer-container">
    <div class="ping-footer">
        <div class="ping-credits"></div>
        <div class="ping-copyright">Copyright © 2003-2017. Ping Identity Corporation. All rights reserved.</div>
    </div> <!-- .ping-footer -->
</div> <!-- .ping-footer-container -->

in server.log I see

2017-05-04 14:49:10,712 INFO [org.sourceid.wstrust.bindings.WsTrustBasicAuthFilter] WST request: uri=/idp/sts.wst, remote-ip=10.6.84.57, authentication-success=false