PingFederateKerberosWSTrustSTS.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net;
using System.Threading.Tasks;
using System.Collections.Specialized;
using System.IO;
using System.Web.Script.Serialization;

using System.Security.Principal;

using System.ServiceModel;
using System.ServiceModel.Security;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;

using System.IdentityModel;
using System.IdentityModel.Configuration;
using System.IdentityModel.Metadata;
using System.IdentityModel.Protocols.WSTrust;
using System.IdentityModel.Tokens;

using Microsoft.IdentityModel.Protocols.WSTrust.Bindings;
using Microsoft.IdentityModel.Protocols.WSTrust;

using System.ServiceModel.Dispatcher;

using WSTrustChannelFactory = System.ServiceModel.Security.WSTrustChannelFactory;
using RequestSecurityToken = System.IdentityModel.Protocols.WSTrust.RequestSecurityToken;
using WSTrustChannel = System.ServiceModel.Security.WSTrustChannel;

namespace SAML_Example
{
    class SAML_Example
    {
        static void Main(string[] args)
        {
            var appliesTo = "https://epbyminw1035t1";
            var dmsPath = "/api/v1/session/saml-login";
            var relyingpartyEndpoint = appliesTo + dmsPath;

            try
            {
                string samlToken = GetSamlClaimWSTrustKRB(appliesTo);
                Console.WriteLine(samlToken);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }

        public static string GetSamlClaimWSTrustKRB(string appliesTo)
        {
            // Allow all certificates
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

            //var endpointAddress = "https://adfs.cluster.dom/adfs/services/trust/13/kerberosmixed";
            var endpointAddress = "https://ping.cluster.dom:9031/idp/sts.wst?TokenProcessorId=Kerberos";

            EndpointAddress ep = new EndpointAddress(new Uri(endpointAddress));

            //Establish the Kerberos Binding for WS-Trust messaging
            KerberosWSTrustBinding binding = new KerberosWSTrustBinding()
            {
                SecurityMode = SecurityMode.TransportWithMessageCredential,
                TrustVersion = TrustVersion.WSTrust13,
                EnableRsaProofKeys = false
            };

            WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, ep);

            factory.TrustVersion = TrustVersion.WSTrust13;
            factory.Credentials.SupportInteractive = false;

            WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel();

            var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(appliesTo), KeyType = KeyTypes.Bearer };

            rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.Saml2TokenProfile11;

            try
            {
                Console.WriteLine("Attempting to retrieve SAML assertion");
                GenericXmlSecurityToken token = channel.Issue(rst) as GenericXmlSecurityToken;
                Console.WriteLine("Successfully retrieved SAML assertion");

                return token.TokenXml.OuterXml;
            }
            catch (Exception ex)
            {
                Console.WriteLine("Exception: " + ex.Message);
                Console.WriteLine("InnerException: " + ex.InnerException);
                throw ex;
            }
            finally
            {
                factory.Close();
            }
        }
    }
}

HTTP/1.1 500 Server Error
Date: Fri, 05 May 2017 09:32:08 GMT
Content-Security-Policy: referrer origin
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/soap+xml; charset=utf-8
Set-Cookie: PF=mGlsWEsS1xnaFnmtL6RRIa;Path=/;Secure;HttpOnly
Content-Length: 306

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<s:Fault>
<s:Code><soap:Value xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Receiver</soap:Value></s:Code>
<s:Reason><s:Text xml:lang="en">Unexpected problem evaluating Token</s:Text></s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>

server.log has entry:

2017-05-04 16:24:55,589 tid:p30zws2d0yvz-lSbIGH3HvsHBSE WARN [org.sourceid.wstrust.wsse.WsseProcessor] Not validating signature for message with token type: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ