WIF error when using SAML 2.0 token.

Question

Hi,

 I am using WIF for integrating my WS-federation IDP with an application on Azure.

I am trying to send SAML 2.0 tokens to it.

however, I am getting the following error on the application side.

ID4157: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies a Recipient value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.

On the face of it, SAML does not look wrong. So I am looking for approaches to correct this. I cannot remove this setting from my IDP.

I am also wondering what the result will be when I use this with ACS.

Here is the token I am sending.

Removing some content, but please ignore signature verification. The signature is correct.

<RequestSecurityTokenResponse xmlns="<RequestedSecurityToken><ns2:Assertion">http://schemas.xmlsoap.org/ws/2005/02/trust"><RequestedSecurityToken><ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b9e6af1c1c2f3c70d35a2b336701d361fc56" IssueInstant="2012-02-29T12:34:15Z" Version="2.0">
        <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://chddlf125630d.ad.infosys.com/</ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_b9e6af1c1c2f3c70d35a2b336701d361fc56">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xOV8S8WWjkh01cPoZsfet7M2Awc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
T9bPG5DHqTk3IB9o0egZ7fuBIdUAso9w2zw9qovGyViZ36y0odKGFevjM23ZbfdX9uOByq3e8Kot
XFtXIH708NVSkOHWEuEp6kVXp3D1vrPKWrhKncXGpVoSXyleN0N21cLFG7W0ZtVy7GmhNMAX/WvP
7BT7Fp7/vpdlgnd+iBQL3V+dPkXCjhU5BSqjRfb6VgJWGTYc4871NyncQMjHfyN9sfC4OkhjmUzG
InAi0CmL1RDGnNQH2aZC/aAULu0xICNNUNtdkWQZxF/CGoE/fJvZb0MlttDS0K0SGq1NTvtdV6+o
KzvXSJOUrWZGMQqaleRI2Q94MkS2dJSZLME42A==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC2DCCAcSgAwIBAgIQ0sYmACMf36VAqyJdlu2wdjAJBgUrDgMCHQUAMBQxEjAQBgNVBAMTCWxv
Y2FsaG9zdDAeFw0xMTA5MjgxNDUzNDlaFw0xMjA5MjcyMDUzNDlaMBQxEjAQBgNVBAMTCWxvY2Fs
aG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK318Cr8hJK7uM4jo7VtiwdWriE0
0NV5ngHV68TvBK0odLSod5M/eNHWYtEUFiMIMomdXIi5LxhZ+wdwptJAnK26BaAiUpv6QTAUNc4e
Yvk7ioqWa+eRTPsTRFpZJLMjmvGSRVPmfAvH2q55JwYFMt5me+wsU6TplPuZ12I0K4qMzB5iRvlq
lnltDUdZQVSR81jgKwe0rEwaeAM3WDqaKfWvTepwBFg3eXhiMqcaQSevTTsvBR7Edsv7V42V/HKQ
FmYWx9qe4M/JgpngYpev/NB4ckQaJZr1wNwASyeXdTIDSdD7qBF9OehYBeLzCgBQbxFKHczMlCCT
I/JCvgPYUcsCAwEAAaMuMCwwCwYDVR0PBAQDAgTwMB0GA1UdDgQWBBQp3fpp/I/V1ooKPTW4cw12
/Cq0ATAJBgUrDgMCHQUAA4IBAQAgFI/5EtnY/RoU7NzHHjmo1Fx7efpPI28CWy2jqtxamD9c2lZ2
HXMrTFiaBJNBMwNCRfklxJLP5IffW6t5NzOhG5quFPNXa3eOTmCeL22dyq2EpGkRL1B8ynAtfMLr
Vcd2iyyxqFIjil1UpNJgMzuAKxx82dypzVSLwt0WBFYCRVr5gTlfXLwypeCpQlUYSTbqga/EDjPQ
wcpFd4N8MdbAsrm9uiIAfk8YtvdvRnD/lObSDV7jAeaqyhxK2UkcdEkRluJWtHdPwjk6C9la0NhN
wbdt4CRw/G/emEjb0NomvjZKVAk3sZpmfYdJ7IqWq4ORGkXN6tCpwoaRwVyuR2hM
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
        <ns2:Subject>
            <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user1</ns2:NameID>
            <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <ns2:SubjectConfirmationData NotOnOrAfter="2012-03-01T06:54:15Z" Recipient="http://recipient.com/affwebservices/public/Adapter.jsp"/>
            </ns2:SubjectConfirmation>
        </ns2:Subject>
        <ns2:Conditions NotBefore="2012-02-29T04:14:15Z" NotOnOrAfter="2012-03-01T06:54:15Z">
            <ns2:AudienceRestriction>
                <ns2:Audience>https://127.0.0.1:8081/</ns2:Audience>
            </ns2:AudienceRestriction>
        </ns2:Conditions>
        <ns2:AuthnStatement AuthnInstant="2012-02-29T12:34:09Z" SessionIndex="wDiwzRXKbC8/9wa1hBzznE81CAw=rUA2mA==" SessionNotOnOrAfter="2012-03-01T06:54:15Z">
            <ns2:AuthnContext>
                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
            </ns2:AuthnContext>
        </ns2:AuthnStatement>
    </ns2:Assertion>
</RequestedSecurityToken></RequestSecurityTokenResponse>

 

Thanks and Regards,

Kanduri

 

---

Thanks and Regards, Kanduri

Answer 1

Hi,

According to your description, it seems that there is SubjectConfirmationData in your SAML token, default Saml2SecurityTokenHandler can not handle this, so you have to inheir it and write extension method for SubjectConfirmationData and Recipient of SAML 2.0 token.

Refer to following links and hope it helps:

http://travisspencer.com/blog/2010/09/

http://social.msdn.microsoft.com/Forums/uk/Geneva/thread/3d109f9d-f5f4-4701-ab9b-0971753d4532

Thank you.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 2

...or more exactly, http://travisspencer.com/blog/2010/09/another-way-to-do-idp-initiate.html

HTH!

---

Regards,

Travis Spencer
http://travisspencer.com