Sign in
 
.NET Framework Developer Center > .NET Development Forums > Claims based access platform (CBA), code-named Geneva > TokenType value in SecurityTokenReference element (SAML Token Profile 1.1)
Ask a questionAsk a question
Search Forums:
 

AnswerTokenType value in SecurityTokenReference element (SAML Token Profile 1.1)

  • Thursday, November 05, 2009 10:12 AMRui Fiske Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I have just noticed that when signing a message with a SAML 2.0 Token using Geneva, in the <SecurityTokenReference> element the TokenType attribute is specified using the URI "urn:oasis:names:tc:SAML:2.0:assertion".

    However, version 1.1 of the SAML Token Profile (section 3.4) states that the URI that MUST be used is "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".

    Is this by design? Is there a configuration element that I am missing to specify that this URI will be used?

    Many thanks for any help on this.


    YoY
     

Answers

All Replies

  • Friday, November 06, 2009 12:00 PMWilko31 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Has Code
    Sign In to Vote
    0
    Sign In to Vote
    This looks like a bug. I noticed this discrepancy also when comparing existing SAML 2.0 tokens we process and the tokens created by WIF.

    In the WriteKeyIdentifierClause method of the Saml2SecurityTokenHandler class, the following code fragment exists:-

    writer.WriteStartElement("SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
...
writer.WriteAttributeString("TokenType", "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "urn:oasis:names:tc:SAML:2.0:assertion");
writer.WriteStartElement("KeyIdentifier", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
writer.WriteAttributeString("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
...
writer.WriteEndElement();
writer.WriteEndElement();
      

    Probably need clarification from the identity team as to whether this issue is addressed in an upcoming WIF release.
    Regards Wilko31
     
  • Monday, November 09, 2009 6:45 AMWilko31 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    I checked the RC bits today and this bug appears to have been addressed.

    writer.WriteAttributeString("TokenType", "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
    Regards Wilko31
     
  • Monday, November 09, 2009 8:49 AMRui Fiske Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Wilko,

    Thank you for looking into this. I thought it would be a bug. I raised it because I have been hugely impressed with Microsoft's acceptance of, and adherence to, open standards, and thought they would want to know about this one!

    Regards,


    YoY