영업: 1-800-867-1380

 none
WIF error when using SAML 2.0 token.

    질문

  • Hi,

     I am using WIF for integrating my WS-federation IDP with an application on Azure.

    I am trying to send SAML 2.0 tokens to it.

    however, I am getting the following error on the application side.

    ID4157: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies a Recipient value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.

    On the face of it, SAML does not look wrong. So I am looking for approaches to correct this. I cannot remove this setting from my IDP.

    I am also wondering what the result will be when I use this with ACS.

    Here is the token I am sending.

    Removing some content, but please ignore signature verification. The signature is correct.

    <RequestSecurityTokenResponse xmlns="<RequestedSecurityToken><ns2:Assertion">http://schemas.xmlsoap.org/ws/2005/02/trust"><RequestedSecurityToken><ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b9e6af1c1c2f3c70d35a2b336701d361fc56" IssueInstant="2012-02-29T12:34:15Z" Version="2.0">
            <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://chddlf125630d.ad.infosys.com/</ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#_b9e6af1c1c2f3c70d35a2b336701d361fc56">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>xOV8S8WWjkh01cPoZsfet7M2Awc=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    T9bPG5DHqTk3IB9o0egZ7fuBIdUAso9w2zw9qovGyViZ36y0odKGFevjM23ZbfdX9uOByq3e8Kot
    XFtXIH708NVSkOHWEuEp6kVXp3D1vrPKWrhKncXGpVoSXyleN0N21cLFG7W0ZtVy7GmhNMAX/WvP
    7BT7Fp7/vpdlgnd+iBQL3V+dPkXCjhU5BSqjRfb6VgJWGTYc4871NyncQMjHfyN9sfC4OkhjmUzG
    InAi0CmL1RDGnNQH2aZC/aAULu0xICNNUNtdkWQZxF/CGoE/fJvZb0MlttDS0K0SGq1NTvtdV6+o
    KzvXSJOUrWZGMQqaleRI2Q94MkS2dJSZLME42A==
    </ds:SignatureValue>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>
    MIIC2DCCAcSgAwIBAgIQ0sYmACMf36VAqyJdlu2wdjAJBgUrDgMCHQUAMBQxEjAQBgNVBAMTCWxv
    Y2FsaG9zdDAeFw0xMTA5MjgxNDUzNDlaFw0xMjA5MjcyMDUzNDlaMBQxEjAQBgNVBAMTCWxvY2Fs
    aG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK318Cr8hJK7uM4jo7VtiwdWriE0
    0NV5ngHV68TvBK0odLSod5M/eNHWYtEUFiMIMomdXIi5LxhZ+wdwptJAnK26BaAiUpv6QTAUNc4e
    Yvk7ioqWa+eRTPsTRFpZJLMjmvGSRVPmfAvH2q55JwYFMt5me+wsU6TplPuZ12I0K4qMzB5iRvlq
    lnltDUdZQVSR81jgKwe0rEwaeAM3WDqaKfWvTepwBFg3eXhiMqcaQSevTTsvBR7Edsv7V42V/HKQ
    FmYWx9qe4M/JgpngYpev/NB4ckQaJZr1wNwASyeXdTIDSdD7qBF9OehYBeLzCgBQbxFKHczMlCCT
    I/JCvgPYUcsCAwEAAaMuMCwwCwYDVR0PBAQDAgTwMB0GA1UdDgQWBBQp3fpp/I/V1ooKPTW4cw12
    /Cq0ATAJBgUrDgMCHQUAA4IBAQAgFI/5EtnY/RoU7NzHHjmo1Fx7efpPI28CWy2jqtxamD9c2lZ2
    HXMrTFiaBJNBMwNCRfklxJLP5IffW6t5NzOhG5quFPNXa3eOTmCeL22dyq2EpGkRL1B8ynAtfMLr
    Vcd2iyyxqFIjil1UpNJgMzuAKxx82dypzVSLwt0WBFYCRVr5gTlfXLwypeCpQlUYSTbqga/EDjPQ
    wcpFd4N8MdbAsrm9uiIAfk8YtvdvRnD/lObSDV7jAeaqyhxK2UkcdEkRluJWtHdPwjk6C9la0NhN
    wbdt4CRw/G/emEjb0NomvjZKVAk3sZpmfYdJ7IqWq4ORGkXN6tCpwoaRwVyuR2hM
    </ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </ds:Signature>
            <ns2:Subject>
                <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user1</ns2:NameID>
                <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                    <ns2:SubjectConfirmationData NotOnOrAfter="2012-03-01T06:54:15Z" Recipient="http://recipient.com/affwebservices/public/Adapter.jsp"/>
                </ns2:SubjectConfirmation>
            </ns2:Subject>
            <ns2:Conditions NotBefore="2012-02-29T04:14:15Z" NotOnOrAfter="2012-03-01T06:54:15Z">
                <ns2:AudienceRestriction>
                    <ns2:Audience>https://127.0.0.1:8081/</ns2:Audience>
                </ns2:AudienceRestriction>
            </ns2:Conditions>
            <ns2:AuthnStatement AuthnInstant="2012-02-29T12:34:09Z" SessionIndex="wDiwzRXKbC8/9wa1hBzznE81CAw=rUA2mA==" SessionNotOnOrAfter="2012-03-01T06:54:15Z">
                <ns2:AuthnContext>
                    <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
                </ns2:AuthnContext>
            </ns2:AuthnStatement>
        </ns2:Assertion>
    </RequestedSecurityToken></RequestSecurityTokenResponse>

     

    Thanks and Regards,

    Kanduri



     


    Thanks and Regards, Kanduri

    2012년 3월 1일 목요일 오전 7:02

답변

모든 응답