PingFederateWSTrustSTSUsernameProcessorREquest.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net;

using System.ServiceModel;
using System.ServiceModel.Security;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;

using System.IdentityModel;
using System.IdentityModel.Protocols.WSTrust;
using System.IdentityModel.Tokens;

using Microsoft.IdentityModel.Protocols.WSTrust.Bindings;
using Microsoft.IdentityModel.Protocols.WSTrust;

using System.ServiceModel.Dispatcher;

using WSTrustChannelFactory = System.ServiceModel.Security.WSTrustChannelFactory;
using RequestSecurityToken = System.IdentityModel.Protocols.WSTrust.RequestSecurityToken;
using WSTrustChannel = System.ServiceModel.Security.WSTrustChannel;

namespace SAML_Example
{
    class SAML_Example
    {

        static void Main(string[] args)
        {
            var appliesTo = "https://epbyminw1035t1";
            var dmsPath = "/api/v1/session/saml-login";
            var relyingpartyEndpoint = appliesTo + dmsPath;

            try
            {
                string samlToken = GetSamlClaimWSTrustKRB(appliesTo);
                Console.WriteLine(samlToken);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }

        public static string GetSamlClaimWSTrustKRB(string appliesTo)
        {
            // Allow all certificates
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

            var endpointAddress = "https://ping.cluster.dom:9031/idp/sts.wst?TokenProcessorId=Username";

            EndpointAddress ep = new EndpointAddress(new Uri(endpointAddress));

            UserNameWSTrustBinding binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential, HttpClientCredentialType.Basic);
            WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, ep);
            ClientCredentials clientCredentials = new ClientCredentials();

            clientCredentials.UserName.UserName = "username"; // User, Password for http basic authentication
            clientCredentials.UserName.Password = "password";

            factory.Endpoint.Behaviors.RemoveAll<ClientCredentials>();//Remove previous clientCredentials
            factory.Endpoint.EndpointBehaviors.Add(clientCredentials);

            factory.TrustVersion = TrustVersion.WSTrustFeb2005;
            factory.Credentials.SupportInteractive = false;

            WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel();

            var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(appliesTo) };

            rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.OasisWssSaml2TokenProfile11;

            try
            {
                Console.WriteLine("Attempting to retrieve SAML assertion");
                GenericXmlSecurityToken token = channel.Issue(rst) as GenericXmlSecurityToken;
                Console.WriteLine("Successfully retrieved SAML assertion");

                return token.TokenXml.OuterXml;
            }
            catch (Exception ex)
            {
                Console.WriteLine("Exception: " + ex.Message);
                Console.WriteLine("InnerException: " + ex.InnerException);
                throw ex;
            }
            finally
            {
                factory.Close();
            }
        }
    }
}

Case 3: no explicitly requested Token type in SOAP request
The response depends for the "DEFAULT TOKEN TYPE" value of WS-TRUST STS connection type.
In case "DEFAULT TOKEN TYPE" is SAML 1.1 the Ping Federate server returns correct
SOAP Response with SAML 1.1 assertion.

<wst13:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst13:TokenType>

In case "DEFAULT TOKEN TYPE" is SAML 2.0 the Ping Federate server response is:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<s:Fault>
<s:Code><soap:Value xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Receiver</soap:Value></s:Code>
<s:Reason>
<s:Text xsi:nil="true" xml:lang="en" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>

I think it is a bug. Last lines from server.log are in next comment

server.log lines related to invalid response for request SAML token with configuration "DEFAULT TOKEN TYPE" SAML 2.0

2017-05-05 13:57:46,732 tid:b4oj4-qvyD5pGETX4amb1EUCfdY DEBUG [com.pingidentity.common.util.xml.XmlBeansUtil] parsing <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action><a:MessageID>urn:uuid:97409a4d-ccc4-429b-80bf-e63a5205f816</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">https://epbyminw1763t56.cluster.dom:9031/idp/sts.wst?TokenProcessorId=Username</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>2017-05-05T10:56:41.624Z</u:Created><u:Expires>2017-05-05T11:01:41.624Z</u:Expires></u:Timestamp><o:UsernameToken u:Id="uuid-b7a1ea51-53b2-42a8-a885-c85226676c63-1"><o:Username>viking</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">iManage#2</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">wsa:Addresshttps://epbyminw1035t1/</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>trust:KeyTypehttp://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>trust:RequestTypehttp://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken></s:Body></s:Envelope>
2017-05-05 13:57:46,778 tid:b4oj4-qvyD5pGETX4amb1EUCfdY INFO [org.sourceid.saml20.domain.mgmt.impl.PluginManagementSupport] Configuring plugin Username (com.pingidentity.pf.tokenprocessors.username.UsernameTokenProcessor)
2017-05-05 13:57:46,825 tid:b4oj4-qvyD5pGETX4amb1EUCfdY DEBUG [com.pingidentity.common.util.xml.XmlBeansUtil] parsing <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xTbm4oP5XDSyx1fAEFsUQ7Z2-aV" IssueInstant="2017-05-05T10:57:46.794Z" Version="2.0">saml:Issuerpfdefaultentityid</saml:Issuer>saml:Subject<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">viking</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-05-05T10:52:46.810Z" NotOnOrAfter="2017-05-05T11:27:46.810Z">saml:AudienceRestrictionsaml:Audiencewst</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-05-05T10:57:46.794Z" SessionIndex="xTbm4oP5XDSyx1fAEFsUQ7Z2-aV">saml:AuthnContextsaml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
2017-05-05 13:57:46,841 tid:b4oj4-qvyD5pGETX4amb1EUCfdY ERROR [org.apache.xml.security.encryption.XMLCipher] Key unexpectedly null...