I'm implementing a service that needs o comply with http://www.projectliberty.org/liberty/content/download/4712/32213/file/Liberty-Basic-SOAP-Binding-1.0_Final.pdf using WCF and WIF 4.5.
The specification requires that STR transformation must be used. The end message may look like:
<Assertion ID="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" IssueInstant="2015-05-08T09:07:09.311Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
</Assertion>
<o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" u:Id="str1" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_f23ef5f3-9efb-40f0-bf38-758d3a9589db</o:KeyIdentifier>
</o:SecurityTokenReference>
If I use the following binding:
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new CustomIssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
messageSecurity.ProtectTokens = true;
initiator.UseStrTransform = true;
initiator.KeyType = SecurityKeyType.AsymmetricKey;
initiator.RequireDerivedKeys = false;
The generated message is:
<Assertion ID="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" IssueInstant="2015-05-08T09:07:09.311Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
</Assertion>
<o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" u:Id="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_f23ef5f3-9efb-40f0-bf38-758d3a9589db</o:KeyIdentifier>
</o:SecurityTokenReference>
What is not right is that the SecurityTokenReference element has the same Id as that of the Assertion element which causes an error:
<Message>The '_f23ef5f3-9efb-40f0-bf38-758d3a9589db' id occurred twice in the message that is supplied for verification.</Message>
<StackTrace>
at System.ServiceModel.Security.ReceiveSecurityHeaderElementManager.VerifyIdUniquenessInSecurityHeader(String id)
Looking at WCF's source code told me that WCF always creates the SecurityTokenReference with Id set to that of the referenced element. To overcome this issue, I created a custom Paratemers class:
public class CustomIssuedSecurityTokenParameters : IssuedSecurityTokenParameters
{...
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
var clause = base.CreateKeyIdentifierClause(token, referenceStyle);
clause.Id = "";
return clause;
}
}
If I use that custom class, another error will pop up:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Saml2AssertionKeyIdentifierClause( Id = '_str1' )
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.IdentityModel.Tokens.Saml2SecurityToken, Parameters=Kombit.Samples.Common.Binding.CustomIssuedSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
TokenType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
KeyType: AsymmetricKey
KeySize: 0
IssuerAddress: null
IssuerMetadataAddress: null
DefaultMessgeSecurityVersion: null
UseStrTransform: True
IssuerBinding: null
ClaimTypeRequirements: none)
)
Could anyone please show me a way to get the UseStrTransform setting work? What am I missing here?
