Authenticating username token with symmetickey

Monday, April 23, 2012 7:43 PM

0

Hi All,

My ADFS2.0 end point is /adfs/services/trust/13/usernamemixed and I am going to use keytype as http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey. I need to export ADFS public key and add it to my client keystore. There are three certificate available in ADFS2.0 - service communications, Token-decyption, Token Signing. Which key should I export? Toward end of day, couldn't think.

Thanks.

Gina
Gina Choi
- Reply
- Quote

All Replies

Monday, April 23, 2012 7:51 PM

By the way, I was getting this error message from ADFS when I send RST.

Microsoft.IdentityModel.SecurityTokenService.RequestFailedException: ID4007: The symmetric key inside the requested security token must be encrypted. To fix this, either override the SecurityTokenService.GetScope() method to assign appropriate value to Scope.EncryptingCredentials or set Scope.SymmetricKeyEncryptionRequired to false. at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar) at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

And here is my RST.

<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"
   xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<S:Header>
  <To xmlns="https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To">http://www.w3.org/2005/08/addressing">https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To>
  <Action xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action">http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
  <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
   <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
  </ReplyTo>
  <FaultTo xmlns="http://www.w3.org/2005/08/addressing">
   <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
  </FaultTo>
  <MessageID xmlns="uuid:1536987d-68bf-42a1-9e8f-cb987fe8ca1c</MessageID">http://www.w3.org/2005/08/addressing">uuid:1536987d-68bf-42a1-9e8f-cb987fe8ca1c</MessageID>
  <wsse:Security S:mustUnderstand="true">
   <wsu:Timestamp xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
         xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"
         wsu:Id="_1">
       <wsu:Created>2012-04-23T18:25:26Z</wsu:Created>
    <wsu:Expires>2012-04-23T18:30:26Z</wsu:Expires>
   </wsu:Timestamp>
   <wsse:UsernameToken xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
        xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"
        wsu:Id="uuid_8f1e169b-47fa-45ec-8882-6c58e9d14f19">
    <wsse:Username>xxxxx</wsse:Username>
    <wsse:Password Type="xxxx</wsse:Password">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxxx</wsse:Password>
   </wsse:UsernameToken>
  </wsse:Security>
</S:Header>
<S:Body>
  <trust:RequestSecurityToken xmlns:ns10="http://www.w3.org/2000/09/xmldsig#"
         xmlns:ns13="http://www.w3.org/2001/10/xml-exc-c14n#"
         xmlns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
         xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
         xmlns:ns9="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"
         xmlns:sc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
         xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
         xmlns:wsa="http://www.w3.org/2005/08/addressing"
         xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
         xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
   <wsp:AppliesTo>
    <wsa:EndpointReference>
     <wsa:Address>https://wkengchoi:8443/doubleit/services/doubleit</wsa:Address>
    </wsa:EndpointReference>
   </wsp:AppliesTo>
   <trust:SecondaryParameters>
    <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
    <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
    <trust:KeySize>128</trust:KeySize>
   </trust:SecondaryParameters>
   <trust:Entropy>
    <trust:BinarySecret Type="CWFYPocFQtWvdvV6X9nZ6A==</trust:BinarySecret">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">CWFYPocFQtWvdvV6X9nZ6A==</trust:BinarySecret>
   </trust:Entropy>
   <trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorithm>
  </trust:RequestSecurityToken>
</S:Body>
</S:Envelope>

Gina Choi

Tuesday, April 24, 2012 11:44 AM

0

I guess you need to export the signing cert, that's what the RP might need to verify the signature on the token.
Dominick Baier | thinktecture | http://www.leastprivilege.com
- Reply
- Quote