-
-
Save pkarneliuk/e80e1a3be2fc6016f20f8bd494b9f0c4 to your computer and use it in GitHub Desktop.
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Net; | |
| using System.ServiceModel; | |
| using System.ServiceModel.Security; | |
| using System.ServiceModel.Channels; | |
| using System.ServiceModel.Description; | |
| using System.IdentityModel; | |
| using System.IdentityModel.Protocols.WSTrust; | |
| using System.IdentityModel.Tokens; | |
| using Microsoft.IdentityModel.Protocols.WSTrust.Bindings; | |
| using Microsoft.IdentityModel.Protocols.WSTrust; | |
| using System.ServiceModel.Dispatcher; | |
| using WSTrustChannelFactory = System.ServiceModel.Security.WSTrustChannelFactory; | |
| using RequestSecurityToken = System.IdentityModel.Protocols.WSTrust.RequestSecurityToken; | |
| using WSTrustChannel = System.ServiceModel.Security.WSTrustChannel; | |
| namespace SAML_Example | |
| { | |
| class SAML_Example | |
| { | |
| static void Main(string[] args) | |
| { | |
| var appliesTo = "https://epbyminw1035t1"; | |
| var dmsPath = "/api/v1/session/saml-login"; | |
| var relyingpartyEndpoint = appliesTo + dmsPath; | |
| try | |
| { | |
| string samlToken = GetSamlClaimWSTrustKRB(appliesTo); | |
| Console.WriteLine(samlToken); | |
| } | |
| catch (Exception ex) | |
| { | |
| Console.WriteLine(ex); | |
| } | |
| } | |
| public static string GetSamlClaimWSTrustKRB(string appliesTo) | |
| { | |
| // Allow all certificates | |
| ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true; | |
| var endpointAddress = "https://ping.cluster.dom:9031/idp/sts.wst?TokenProcessorId=Username"; | |
| EndpointAddress ep = new EndpointAddress(new Uri(endpointAddress)); | |
| UserNameWSTrustBinding binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential, HttpClientCredentialType.Basic); | |
| WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, ep); | |
| ClientCredentials clientCredentials = new ClientCredentials(); | |
| clientCredentials.UserName.UserName = "username"; // User, Password for http basic authentication | |
| clientCredentials.UserName.Password = "password"; | |
| factory.Endpoint.Behaviors.RemoveAll<ClientCredentials>();//Remove previous clientCredentials | |
| factory.Endpoint.EndpointBehaviors.Add(clientCredentials); | |
| factory.TrustVersion = TrustVersion.WSTrustFeb2005; | |
| factory.Credentials.SupportInteractive = false; | |
| WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel(); | |
| var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(appliesTo) }; | |
| rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.OasisWssSaml2TokenProfile11; | |
| try | |
| { | |
| Console.WriteLine("Attempting to retrieve SAML assertion"); | |
| GenericXmlSecurityToken token = channel.Issue(rst) as GenericXmlSecurityToken; | |
| Console.WriteLine("Successfully retrieved SAML assertion"); | |
| return token.TokenXml.OuterXml; | |
| } | |
| catch (Exception ex) | |
| { | |
| Console.WriteLine("Exception: " + ex.Message); | |
| Console.WriteLine("InnerException: " + ex.InnerException); | |
| throw ex; | |
| } | |
| finally | |
| { | |
| factory.Close(); | |
| } | |
| } | |
| } | |
| } |
Case 3: no explicitly requested Token type in SOAP request
The response depends for the "DEFAULT TOKEN TYPE" value of WS-TRUST STS connection type.
In case "DEFAULT TOKEN TYPE" is SAML 1.1 the Ping Federate server returns correct
SOAP Response with SAML 1.1 assertion.
<wst13:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst13:TokenType>In case "DEFAULT TOKEN TYPE" is SAML 2.0 the Ping Federate server response is:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<s:Fault>
<s:Code><soap:Value xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Receiver</soap:Value></s:Code>
<s:Reason>
<s:Text xsi:nil="true" xml:lang="en" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>I think it is a bug. Last lines from server.log are in next comment
server.log lines related to invalid response for request SAML token with configuration "DEFAULT TOKEN TYPE" SAML 2.0
2017-05-05 13:57:46,732 tid:b4oj4-qvyD5pGETX4amb1EUCfdY DEBUG [com.pingidentity.common.util.xml.XmlBeansUtil] parsing <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action><a:MessageID>urn:uuid:97409a4d-ccc4-429b-80bf-e63a5205f816</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">https://epbyminw1763t56.cluster.dom:9031/idp/sts.wst?TokenProcessorId=Username</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>2017-05-05T10:56:41.624Z</u:Created><u:Expires>2017-05-05T11:01:41.624Z</u:Expires></u:Timestamp><o:UsernameToken u:Id="uuid-b7a1ea51-53b2-42a8-a885-c85226676c63-1"><o:Username>viking</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">iManage#2</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">wsa:Addresshttps://epbyminw1035t1/</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>trust:KeyTypehttp://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>trust:RequestTypehttp://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken></s:Body></s:Envelope>
2017-05-05 13:57:46,778 tid:b4oj4-qvyD5pGETX4amb1EUCfdY INFO [org.sourceid.saml20.domain.mgmt.impl.PluginManagementSupport] Configuring plugin Username (com.pingidentity.pf.tokenprocessors.username.UsernameTokenProcessor)
2017-05-05 13:57:46,825 tid:b4oj4-qvyD5pGETX4amb1EUCfdY DEBUG [com.pingidentity.common.util.xml.XmlBeansUtil] parsing <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xTbm4oP5XDSyx1fAEFsUQ7Z2-aV" IssueInstant="2017-05-05T10:57:46.794Z" Version="2.0">saml:Issuerpfdefaultentityid</saml:Issuer>saml:Subject<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">viking</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-05-05T10:52:46.810Z" NotOnOrAfter="2017-05-05T11:27:46.810Z">saml:AudienceRestrictionsaml:Audiencewst</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-05-05T10:57:46.794Z" SessionIndex="xTbm4oP5XDSyx1fAEFsUQ7Z2-aV">saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
2017-05-05 13:57:46,841 tid:b4oj4-qvyD5pGETX4amb1EUCfdY ERROR [org.apache.xml.security.encryption.XMLCipher] Key unexpectedly null...
Ping Federate 8.3.2.0 could not recognize token types generated by C# UserNameWSTrustBinding class in the snippet above.
In the same time the /adfs/services/trust/13/usernamemixed endpoint of ADFS can recognize these requests of specific SAML tokens.
Case 1: explicitly request SAML 1.1 assertion
some data from audit.log:
Case 2: explicitly request SAML 2.0 assertion
Similar SOAP response and entry in audit.log: