Live ID, WS-Trust version and ACS Interoperability

Question

Hi folks,

I'm using Geneva's WSTrustClient to retrieve a Live ID token from the WS-Trust endpoint at https://dev.login.live.com/wstlogin.srf. I now want to pass that token upto the Access Control Service. I've tried to use WSTrustClient to do so and I continually get a MessageSecurityException. This doesn't happen when I'm using my own Geneva-based STS.

Somebody posted previously at http://social.msdn.microsoft.com/Forums/en-US/netservices/thread/7b7defdf-728c-4fe7-8cf7-245b08ee763a indicating that it might be a version issue; Live ID supports WS-Trust Feb 2005 and ACS supports WS-Trust 1.3. Is this the case? Are there plans for active STS interoperability between ACS and Live ID?

Thanks & Regards,

Dean Ward
Developer
iPrinciples Ltd

Answer 1

Maybe this will help you ...

http://blogs.msdn.com/justinjsmith/archive/2009/03/24/tokenclient-mix-introduction.aspx

Answer 2

Unfortunately that seems to be geared towards the Geneva Beta 1 release. The same functionality is effectively replaced with that of WSTrustClient in Beta 2 - which is what I'm using!

Anybody have any idea what's going on here?

Thanks,

Dean

Answer 3

OK, further investigation leads here...

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/82acfec3-36eb-4916-9442-f2e07f62c051

I've tried to decrypt the token created by the Live ID STS at https://dev.login.live.com/wstlogin.srf but I don't have the ACS private key so I can't get much further!

Is Live ID STS using an old certificate to encrypt the token for ACS or is something else broken? My token looks like this:

<?xml version="1.0" encoding="utf-8"?>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509SKI>aqPI5cP+UHaMNfk5i8kWU3mza84=</ds:X509SKI>
        </ds:X509Data>
        <ds:KeyName>accesscontrol.windows.net</ds:KeyName>
      </ds:KeyInfo>
      <CipherData>
        <CipherValue>qlFQT90ejHTISgsAf+CbtYLdXH4mNB53MGQab9R+bKRWzDbUa+AGdRhYsxtrsCw1hlz0YhauJMRM9VE4bcvJKcj+LmgmDx7wsspXrqFh7fjv9eBp9YRP9KqLaL8SC0OgwIs5xbWdgJ4z74NItWOqNSww8K4gSHgI3f1lvcEECkQ=</CipherValue>
      </CipherData>
    </EncryptedKey>
  </ds:KeyInfo>
  <CipherData>
    <CipherValue>60oZh+9GRWDOGwCeaMYcByrYhKA2YnNW0prTUcQ5ozz1sRaq0CPfnu2w8rdV9oY3tJO2H7r2jPjFVyFAuwxlPMfdL6cl5hoNhzjuVZGvewNW6XhiuuSB3srCuQONFoRX2K5WsdnXZOHViitI8R17cdr9RhLm+SDzb8rrEgnZHY3V1yt4WzzLKdgfQScucAI0SDh22dQiaSqHGP71TkQcr9v7m8XdygYyTV/79aWoWdN9rK0mhz7tGZ8TP6g74OzDpC7DUN3O5pIHlawYTMxIF5/7ulaPB7idVdlHUzm+FUIX/UD1kZJGvmnJ4NZog9DeKunlbyQG1YTuId72JxTkSuu7blgh/kL32lWl+eAfONafLf1WGEvmtiaW5luGmgWe2Wiaah8KGb6m61M9sIFJBCPHXCh/LAVRsFU5AsbzB1iUxbsZhFRW8xPy+O9GBI3t4s0VZeQnSMoSTgVD4BlqcWNTM2RgMDtRro0dwQ1aityN3/yCW+7vgZuBy+FW6DeFBRZ9q6BfpqOPyx2B4N1OMuZZQu3yhffGv5MJ1YahK1mOtB3DHwhHS35AsO9MyETI/4/eA0MAZ/I+C3k4RQsNbg4NrLdzY7gsj/i8sattLuzx1J0+gxxVW2KTRb3KcUBehq+/KCztuPaOuqj8qkPnmUoWPlzcTZBGyz9yRWtyHnkafLsZ8iEp/L6QyUom3m4icNdrHXp4tLrkdMnH6TYL8GNEEp85rUcqD38aG2xcBpUQvWXFQRkqEQnr337kvDG0LjPdS0N24HuGOhcOh3MCM2hahqCUHECSTxUvwyRBOMsrdkJt5yjVhdC+1rNV34OzOGpIS+44ZwJgXsUsKxv601Lv+xZ5qrOGWQGxZ9LzVY1JBpxLibq1GGPAcKxB/TgtAipKym710gwYoQRtIj8giDW7J+LJv2hyRhJmc/7z7VjjOmgh3Eo0FSPpoK4MJ88pJu7lbkEAXVxi8rjVYQwLy0lWpIFVYcEEZyYpXgxV38R4PsLtQXtX+jMz1D7x984J5cGf/RWti8S/1qvEujNw2X0pQ54UcpGLW5szDy8YBaYOta5OIRMpGCUT3ntn/Us2BCYcnZ6tQMuhCOr1coyp50Yja0EW1PjJtwtbOuaTgcKUXHx5dL4+gSDrJKlKGGqVb83dap5XkgBeqc21CAaM0mRFEpWuWiYWOgq9WRmxGemo2Ugv91D6c0k43SyXMdxDrquV4+WD/eTUUH7f5uiciL/DNN3zhUZLFukKznc7XQA7drqe5i1fVe64Vc2BYDxKGN1ELM8tzYyeMWpH+7U2ckS661/MVoYESadWVmlppeiGy+Q+3iimB0RVDrDA5WNOqJfeF3pOJ2yTF2uOFQQZ9l9DrRLmfPbhrqcMQ6cUO7XVLN61nnZx9YAYEfGI1Mhj8UU4pBpAXIBQX6VyPjFr3614UmhC4rB/vrnjKAmcmiOKZDfqcCk0iT17ujo4iZbxX1DTsBR/kLnhF0MkGYMM4Kur6vdsigTxMhu559lcLxmTwe7wyuax4JzHNMGsVjxUx1qc1GnFZooBMbDGdqoQaxb7JlMVyNnKsv6Je9ZVHQIcgDIkf7qAcxorvwVM1ZHQpD7WmRf0zOWohHLk8aLfHsoYUAFT4uf52mJzpy4VKQGFsTpECNptVObR4A2eZgSdAZLzdW7GxS0gqRDW+Vca8sGlrlOJwnH7ZK54B8hM7jTXjfz9pX6UY/2kSy+AIW8v9yP1Y7aYP9TsgrsWtUMAp47E5SxxATB2kaEqXSk7XGC3c0gpLPpn0k2SXJmXbhkM259pd+zQx73Gqv3tPy8py/P0OMA+x9U6kjL7aeG17f5tinRscNG3fqhrd8BcA+2rWpy742y+Er6kkM+NwGQ2lyOUCNS6fqSDsy4NGJBHbph0sXRNgC3mJZS04o29HGc3YVQRgk6hRrhT4UJEX9w+EMZvyiGct5Kqmp7xBFYpaTueztJDNEcAnwXDHcWxwLN2CqTUsZATGG0wI6wT9CX+rc3tpv8JY9BNsXRyH0GwhoDpOF2Z1Xblk9wge4FmpHjC71BnQryuyAVV4r1wT3sIbNb53uZz3ugov6YufwiXw57NVtsNSu+kUp29dzXwDYv02/ACmDlv4DGbTpS4odF1ss5HDYVqkUsm4+PiqinWKl5wRLRfzLN1HH9vHvogmHIja2YKhRku0rcArP6AyLQZOQYfFCSX5D8HyacjnirHTJzDjV9gPrIMUsDnLMluF+k3CSFX51pk2gk/teSgXs5OnJWMJBBn7dEmUmJ2QYdrSDykREsHkPSkJaDdYWQEaLaIJZfsu8yWZ3AX90Vt8uvCKEXtxGlCPhyemrdfXQ4gvO3j8FQuas2ivwcO6m+EgzMR6hqYV+IxgT2kCwQroY2DVyJgj71zoZqd+FKmOqvlQm5ea+PwvCnjqfHrGpTZ4E+mYz0jpMWryFEhgRkfRocCqFAhxMjgygWGho3B9bMygQefpHX7QlFly/b3h4O5udUmgPxpMES7Pg/cbhajgPB+raUwqce7JPYhF30GF4IuRk4RhPGGxuzyU+fi1fpu5w+47iZYj5otZXDB9S7U/QTSeuRsRc+09yXom8nR3jFbUqPns+et9MA1ZNJLP/C4gwZr4d8tmByOP99jZ6ouJ3N4+/5qb/eAAptugudcNL7pVJkpmuR1QlIQEqCg6T8Zj0RetiQ7jXgtc7LFk0ncvwSCuUI1Ky4Fipk/y+CEd+gpcx9karvaBDnTK989j6xmLRUuXZN7+WT8HNwuCMJ7gwZ/0OuylQ1qib6wZvrp02PasleL818D8HHxbzdQkrsHIoiK2s1KTav1m2c3whYRlQRpx7ep8ZLzNGy5f+G2Xc/WNR7ycCU/8orbnBKBKq4mUoi5PuSZZUK0gKEaMLn7iGeezh3RSRxlAgWnQPdY3CY/8BDO7QTpUdkLKQhjWDst9DIJCU53zo2Qc/v5UNRDCP/vbXu4SMMGzEKAgJ0k4YIrhRa4xOThJpO6RgshKX2X3/eQivaTqIEbSnDx6MFDILv97MCqaINLUHwVF+YX/LrWqLQd8LYfoz67k9qdhL/8rjGIOCtrcKFLqrBIH2LSdv38w/8LmuJtCm54qyoYB/BOQrq/98vQZ+z8D8nyEmJwwB4+R93Dsr5gV3ygYeGJreUFYetiiHRaPNnDXeekir7jHX7uN9pMC3/QAt9dyh0L+ehvtxN9DnGAfsD2uGp3X3HK+0tHwAPVC4MyRVt1h+4w4/OYjaOcJI/npy3gN2ZJ7D3wZYakd5+x7OHJek+3Xgx30quCQfdFbj4u5Kbc8f3IBQwQY3T56kGGh2cHknVmzsfrQJvPDOqvxfebIDtyQ6xSq5WDX2PdUdI8lf5Vzm5ocY5a/cB8HZZWvLImdIizcLyu2WJJc3rX0L501aqia2b6hl3vuKUDv/uoW/8eWb9OOFz1fiHod7iOXv/GeAAa2RgTqIivoNNHmc4LUVLR8g+d+e9GAe90TR1M83i/sedP7Buhzwxa9kDo9SzXZoYlgJoa1BaOlyw9YN2m31zybTPNZZo9SWpsnxcmc0qB/2Oev4cgFz1DDn7YhHfWjPZFH1oP5BWa3VtrOPUMYkcgIE3c7KOH6dcC0IuelelYt/+7c90s30FBK6zOEX9bhVKSCv+bVaa0mVcV+UjvH7zpfHxUUPHOKAUd9vYlFQrw1EANbBrEuN+YrPZBqpg+/WswrA8MWAQvRPqi+NPHn2fkVvMyhAhzmib74tNoemYjojLS7QGBIeB9BgjuTlvviYXE5ZY/GLQ8SQI/iS8FMuRRChqGn/WGNXjnNqArUj0KV+q2QGuzKybB6++pjeU6IqhBKP9HGXgqCCsctUUSbFNMeVGSaFcG58j8/PwndZ9hpscE54BR9vZk0LlH1JqCDdrszit5R/fQtX8PLkkeplKt1LicqHaBfprsG7iobF+Q6zKoNHECuktwiicJ8GdmIYlcl7DT1U7nzJ8IJYl+zA0+kcn1I1v6IrBCl0u8BZ2fz1I0hnqsr2k673fWtNQ7F2jpWTYivGeVeFQngFezLZ6MSI27OHJzqtgwgCnzeTU9U0KYJkyMkpRRVyOegMQjYeNf6v7hYzLvW6KWreoeB/6bouhIdKqTVPHfbh+JopbeqqW0IFdVlUIispzOg9kZNPR/P8xwiwB3fnkDbng8/llg+uU3KOxPMLpGErOHyuNF7eTk6bCdzV2lc4tnjF2EkrJNQth5CiqWQT8rdwR+yDFi9NoXN0b3Tm/I1sdwTO3RTc2FM/mucMywcflMbOFVxl5AuWMvocpxYw87cU1MnPXMgFAXsBgG9IhndVIIFpITr8+ykzy3MgyTp6GEU2Kuoe7lqO4OiINh8XEYRX0PPvMfDUpYMkPUyNVqRQLSd5eBHvhDTR0=</CipherValue>
  </CipherData>
</EncryptedData>

Thanks,

Dean

Answer 4

Why was this marked as answered, it clearly hasn't been?! Does anybody at MS know why Live ID WS-Trust doesn't work with the access control service?

Thanks,

Dean