none
RequestSecurityTokenResponse in Sharepoint

    Question

  • Hi, I sent to sharepoint "RequestSecurityTokenResponse" in SAML 2.0 which looks like:

    <?xml version="1.0" encoding="utf-8"?><t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-02-15T13:03:19.047Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-02-15T13:08:19.047Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>http://rpsts.repozytorium.pl/SitePages/Home.aspx</Address></EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion Version="2.0" ID="_867112ef-5768-4110-83df-4b23e5ce87ee" IssueInstant="2013-02-15T13:03:19.0478433Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>http://system.sa.us.pl/csioz-dev-sp</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_867112ef-5768-4110-83df-4b23e5ce87ee"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>Zl/jWW69iihHsJdmIQx4OR6M3J8=</DigestValue></Reference></SignedInfo><SignatureValue>iJ9pj/nZjVppftyfaa2iUjecmbqds+fu1izmyYRkuXMagzSy1dG72JjzYEATcgJvBiVVvF8gwNhyZWJexUAQP3ylUFLUSzcHB1Ly8yUsxO/dxnxijG/kytYzEFYge6gPslK2LiEcqnr5XPrqySjNTslSPXjm5l3Te1fid2/ROkYRcPK2NGEoysV/C2hNeOoBNORvg0HlDTLzingxAiIZyiSae+PvSCcyjVXkmN4wiRKPAZMMOdTTQdy+Q6dFY93TBZ4SCVzzsiW07rE/5hKagCE7Qpqj3///+4GgtC3mGWKR3znirxunFQ/qQ73B5dFVqKpwRUyeo3i447yKg9O0fA==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIFxjCCA66gAwIBAgIIC4GbQ/AStqwwDQYJKoZIhvcNAQEFBQAwTzEZMBcGA1UEAwwQTGV2ZWwgMiBDQSAxLTEtMTERMA8GA1UECwwIUDJTQSBERVYxEjAQBgNVBAoMCVBlbnRhY29tcDELMAkGA1UEBhMCUEwwHhcNMTIxMjEzMTIxNTE0WhcNMTQxMjEzMTExMzAwWjBUMRowGAYDVQQDDBFzeXN0ZW1fc2FfdXMtd3NzMTEVMBMGA1UECwwMQ1NJT1otUDItREVWMRIwEAYDVQQKDAlQZW50YWNvbXAxCzAJBgNVBAYTAlBMMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3+qyIT+Aybd67ypv33B4n00/SYeGQsFSkwUpQSEM4ZIofb23xv7QvIBr2xBsIWVgX2UtULz/cxdMxplMeq18kFHXrhxLXeZLWiki/j6kJtK5gIbiiMm9W3MyW2laPq6so6PxDlDCBRisu5GFuInGGv0RDhm4w0w7pGN3ywxVB1R1YOk+bwtVgI31pPjurWZVaYOCMZYSYNc1BJ78bfhKG9FZtYZHflBcy6Lq9eeGyyh4d5gCRrZXt8rJIT6UQHOAxxJ+fDxs8U8XGwsxWJ/KMs4ebYezru4XshnxCnthvUph4VPjOvsFU5C0cTbkgLlrlQY93xQQwICy3CXy1OPoQIDAQABo4IBnzCCAZswSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8vZGV2Y2E6ODA4MC9lamJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwHQYDVR0OBBYEFApPx/0+Idpfye4sXCAUJD4TiZ59MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUz6ImxAsD+QuTy/ns4RLIwdnqZBowEgYDVR0gBAswCTAHBgUpAQEBAzCB2wYDVR0fBIHTMIHQMIHNoHagdIZyaHR0cDovL2RldmNhOjgwODAvZWpiY2EvcHVibGljd2ViL3dlYmRpc3QvY2VydGRpc3Q/Y21kPWNybCZpc3N1ZXI9Y249TGV2ZWwgMiBDQSAxLTEtMSxvdT1QMlNBIERFVixvPVBlbnRhY29tcCxjPVBMolOkUTBPMRkwFwYDVQQDDBBMZXZlbCAyIENBIDEtMS0xMREwDwYDVQQLDAhQMlNBIERFVjESMBAGA1UECgwJUGVudGFjb21wMQswCQYDVQQGEwJQTDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggIBACmgIpU89cyra3AOPyOpJ3GSwvSAiLroz162uTx9XIGjjHByxhFqc69vCLRJth5olTU1lgH5GM6PR92awLm7OPe8l58Nyt85ZgUyxM5hd2gbO3DHmRLZA47rQPpC8Qk5+J8SpEtcVES9dd1iBZaQvR307tx2G7RvRx/SqMaiKlqxKfw5hFQocK9LwSh5B5HvhXDu4QIBM9r0+a4x+NWwL61kp4T+0+ERVcgSgA4qwgwjSRIGGRpXAu/vwRrO8ubvgxqtkAbRhjcw3nZPUohI1mb9SpR9USJ4oaUpo+64MUp/mZhVuw8P2ZPV83IPW9cVKJo8QdKQMB+418hh5Zxh3BUYjONWVeAREBrstAA8J89L7GOUx/+FHnVijYJOqmQJlkEDmAtwvRBk50ZNFojG1nX4nojyufhxmd7ZenIlaSEzcfwgjgjyVJX9J1fmt17/DOo2oNYsi6XDpbrfPaL8+kuIuKEPhxNcapsrLi3L+aypICyTkN3WESNVXcgcMMRGjcNJFgc78k7EoQJCXhLoYcqHG2bVvvEcbdTMghqDw8k/ZIaL8ahm9FB/M5yAOyvwfSzsykHTp0JLVR2/ljQqTemtcAZhb1GtVdHg9iYMejpFCAyyEL980eTdD8D1KRSEn2vxw0BDg5O9LAaiES3zh6QWvMEcQYtmFsBe1RkxfI7i</X509Certificate></X509Data></KeyInfo></Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">10b2c3a8-edca-4b01-b61e-3dfb7b1d0c59</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-02-15T13:03:19.0478433Z" NotOnOrAfter="2013-02-15T13:08:19.0478433Z" /><saml:AuthnStatement AuthnInstant="2013-02-15T13:03:19.0478433Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:q1="http://www.w3.org/2001/XMLSchema" p7:type="q1:string" xmlns:p7="http://www.w3.org/2001/XMLSchema-instance">Kamil</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

    As You know sharepoint doesn't support SAML 2.0 so I created custom class derived from Saml2SecurityTokenHandler which looks like this with ReadToken method:

    public override SecurityToken ReadToken(System.Xml.XmlReader reader)
            {
                if (reader == null)
                    throw new ArgumentNullException(reader.ReadOuterXml());
    
                string assertionXML = null;
                XmlDocument signedXml = null;
                try
                {
                    using (var reader_Assertion = XmlReader.Create(reader, null))
                    {
                        reader_Assertion.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");
                        assertionXML = reader_Assertion.ReadOuterXml();
    
                        if (!string.IsNullOrEmpty(assertionXML))
                        {
                            using (var reader_doc = XmlReader.Create(new StringReader(assertionXML)))
                            {
                                signedXml = new XmlDocument();
                                signedXml.Load(reader_doc);
    
                                if (!string.IsNullOrEmpty(signedXml.OuterXml))
                                {
                                    using (var reader_finalXml = XmlReader.Create(new StringReader(signedXml.OuterXml)))
                                    {
                                        return base.ContainingCollection.ReadToken(reader_finalXml);
                                    }
                                }
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    throw new ApplicationException("Can't validate token", ex);
                }
    
                return base.ReadToken(reader);
           

    I checked in fidler and there are signin1.0 and wresult with this above xml. When I redirect unfortunatelly ResponseEnd() failed ;/ Please help what should I do more?


    • Edited by CaMeL023 Friday, February 15, 2013 2:07 PM
    Friday, February 15, 2013 1:54 PM

All replies

  • In UlsViewer I found more information about that issue. During this process in UlsViewer I saw Authentication Authorization category with info:

    Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0

    Request was made to /_layouts/Authenticate.aspx

    I found that there is also /_layout/15/OAuthAuthorize.aspx ?

    It looks like infinite logon-loop.

    What can I do with this?





    • Edited by CaMeL023 Friday, February 15, 2013 4:25 PM
    Friday, February 15, 2013 4:01 PM
  • I have a problem with understanding that issue, I've got SAMLResponse in POST from IDP and I would like to authenticate user from SAML token in Sharepoint.

    I read that we can transmit SAML 2.0 to WS-Fed which Sharepoint supports, right?

    So I created like in post above, but please tell me what should I do with this next because in this step User.Identity.Name is null or User.Identity.IsAuthenticated is false! What should I do with this?

    Thanx for any help.

    Saturday, February 16, 2013 5:56 PM
  • Hi

    Was this issue fixed ?

    Thursday, December 19, 2013 9:04 PM