Deserialize a Signed SamlSecurityToken
-
quarta-feira, 18 de agosto de 2010 22:16
I am trying to authenticate against an STS, retrieve the SamlToken, and then use that for Service calls which require authenticate to the same STS. I guess before I go much further, I should point out that I'm not interested in SWT. I may do that at some point, but I'm not happy with that implementation. Anyway, I have managed to get the SamlSecurityToken on the Web Server, but am using RESTful services, so I need to get the token into some serialized format. Trying to use WSSecurityTokenSerializer or SamlSerializer both tell me "The private key is not present in the x.509 certificate." I imagine that is because it is trying to sign the token as it is serializing it. I have managed to serialize the token (unsigned) SamlAssertion.WriteXml(), but then since it is unsigned, the server rejects it (401, as it should:) I have found myself able to Actively authenticate against the same STS, receive a GenericXmlSecurityToken, and Serialize/Deserialize it all day long, but not the one retrieved from Passive Authentication on BootstrapToken.
Close(r) examination has revealed to me that the GenericXmlSecurityToken I get from Active Auth deserializes with a SigningToken, whereas a SamlSecurityToken retrieved from Passive Auth's BootstrapToken has SigningCredentials instead. The docs seem to indicate that SigningCredentials are what will be used to sign a token and SigningToken is what was used to sign a token. Doesn't really make sense since both of these tokens should have already be signed...shouldn't they? Is the token coming from Passive Authentication not signed, and if not, how do I make that happen? Is that a setting in the STS / WIF? That would explain why I can't serialize a signed token.
Am I missing some other easy option for getting a signed token to make WCF calls? Any help would be appreciated. Thanks.
dmp
Todas as Respostas
-
quinta-feira, 19 de agosto de 2010 05:51
have a look here:
http://www.leastprivilege.com/ThinktectureIdentityModelWIFSupportForWCFRESTServicesAndOData.aspx
Dominick Baier | thinktecture | http://www.leastprivilege.com -
quinta-feira, 19 de agosto de 2010 14:35
Thanks Dominick,
I looked at the site you mentioned, and I don't see how it applies: It discusses a Data Service and REST, and says regarding the token: "To call the service you need to somehow get a token. This is up to you. You can either use WSTrustChannelFactory (for the full CLR), WSTrustClient (Silverlight) or some other way to obtain a token." My problem is in getting a token from a passively authenticated situation. I can get the token, but it's not signed. Once I have a valid, signed token in XML format, I can do what that post suggests. It's getting the signed token that is bothering me.
Anything?
-
quinta-feira, 19 de agosto de 2010 15:05
You can use this code to extract the SAML token string from a SamlSecurityToken:
var token = id.BootstrapToken;
var handlers = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers;
var sb = new StringBuilder(128);
handlers.WriteToken(new XmlTextWriter(new StringWriter(sb)), token);
Dominick Baier | thinktecture | http://www.leastprivilege.com- Marcado como Resposta dmprantz quinta-feira, 19 de agosto de 2010 16:59
-
quinta-feira, 19 de agosto de 2010 16:59That code did it. Thank you Dominick!
-
terça-feira, 6 de março de 2012 21:34
I can't thank Dominick enough, was struggling to figure out a way to get the 'raw' SAML assertion XML from the SecurityToken in the WSFederationAuthenticationModule.SecurityTokenReceived event; and this worked perfectly (I used a MemoryStream instead of a StringBuilder).
I am using passive redirect in an ASP.NET MVC application, and while the BootstrapToken is often null, you can hook into the module event to get the signed token this way.
Is there some sort of configuration change that can be made to cause the bootstrap token to be populated?
-
quarta-feira, 7 de março de 2012 00:24
Normally:
<microsoft.identityModel>
<service saveBootstrapTokens="true" />
...
