ADFS 1 has Recipient, ADFS 2 has not - Receiving SAML 2.0 Assertions via WS-Trust -

Question

Hi,

I am noticing a strange difference in my ADFS and my customer's. I am receiving a SAML 2.0 Bearer assertion via WS-Trust and a .Net Client making use of WIF. In my ADFS I get the recipient. My customer is using the same code but here there's no recipient in. Configuration is the same as far as I could see.

When does ADFS put a recipient into the assertion?

Mine

       <Subject>

             <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Bob</NameID>

             <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                    <SubjectConfirmationData NotOnOrAfter="2014-01-30T16:40:21.776Z"/>

             </SubjectConfirmation>

       </Subject>

The customers subject

<Subject>
         <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ATES</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData NotOnOrAfter="2014-01-16T14:38:31.650Z" Recipient="https://host/url/url" />
         </SubjectConfirmation>
      </Subject>

Regards,

Mathias

Answer 1

What's the RST coming from the client look like in both cases?

---

Developer Security MVP | www.syfuhs.net

Answer 2

They are the same in both cases. Retrieved with this code.

// use the correct binding!
WSTrustChannelFactory factory = new WSTrustChannelFactory(
	new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
	"https://servername/adfs/services/trust/13/usernamemixed");

factory.TrustVersion = TrustVersion.WSTrust13;

// for the moment just username password
factory.Credentials.UserName.UserName = user;
factory.Credentials.UserName.Password = password;

var rst = new RequestSecurityToken
{
   RequestType = RequestTypes.Issue,
	AppliesTo = new EndpointAddress(“RP_URLOfGWIdentifier”),
	KeyType = KeyTypes.Bearer,
	TokenType = "urn:oasis:names:tc:SAML:2.0:assertion"
};               

IWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityTokenResponse rstr;
SecurityToken token = channel.Issue(rst, out rstr);

Answer 3

Hi,

I am experiencing the same issue when using ADFS with WIF and not having a recipient included with the SubjectConfirmationData. Were you able to determine how to get it to be included?

Thanks,

Justin

Answer 4

I've found some sort of Workaround for this:

See this question

It's a bit ugly, but it works...

---

Augusto Ruiz :: http://geeks.ms/blogs/aruiz