none
WCF service does not understand SOAP 'Security' header

    Question

  • Hi,

    I have a WCF client that makes a request for a SAML 1.1 token from a Security Token Service (STS).  Once my client receives that token, it forwards it to the WCF service I am trying to invoke.  However, once the service receives the message, I'm getting the error:

    "The header 'Security' from the namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' was not understood by the recipient of this message, causing the message to not be processed."

    Is there something I have to configure on the WCF Service side so it will be able to understand and process the SOAP security headers?

    Thursday, August 05, 2010 9:32 PM

Answers

  • It depends what you want to do. If you want the server to actually understand the SAML, verify its signature, expose it to you in the security API and etc you need to configure a security element in its binding.

    If you wish none of that I believe you can write a message inspector on the server side to mark the security header as understood (so exception is not thrown), not sure about the details.


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Marked as answer by Mog Liang Friday, August 13, 2010 6:04 AM
    Thursday, August 05, 2010 11:20 PM

All replies

  • It depends what you want to do. If you want the server to actually understand the SAML, verify its signature, expose it to you in the security API and etc you need to configure a security element in its binding.

    If you wish none of that I believe you can write a message inspector on the server side to mark the security header as understood (so exception is not thrown), not sure about the details.


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Marked as answer by Mog Liang Friday, August 13, 2010 6:04 AM
    Thursday, August 05, 2010 11:20 PM
  • It depends what you want to do. If you want the server to actually understand the SAML, verify its signature, expose it to you in the security API etc. you need to configure a security element in the server binding.

    If you wish none of that I believe you can write a message inspector on the server side to mark the security header as understood (so exception is not thrown), not sure about the details.


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Thursday, August 05, 2010 11:23 PM