locked
ADFS 1 has Recipient, ADFS 2 has not - Receiving SAML 2.0 Assertions via WS-Trust -

    Question

  • Hi,

    I am noticing a strange difference in my ADFS and my customer's. I am receiving a SAML 2.0 Bearer assertion via WS-Trust and a .Net Client making use of WIF. In my ADFS I get the recipient. My customer is using the same code but here there's no recipient in. Configuration is the same as far as I could see.

    When does ADFS put a recipient into the assertion?

    Mine

           <Subject>

                 <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Bob</NameID>

                 <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                        <SubjectConfirmationData NotOnOrAfter="2014-01-30T16:40:21.776Z"/>

                 </SubjectConfirmation>

           </Subject>

    The customers subject

    <Subject>
             <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ATES</NameID>
             <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2014-01-16T14:38:31.650Z" Recipient="https://host/url/url" />
             </SubjectConfirmation>
          </Subject>

    Regards,

    Mathias

    Thursday, January 30, 2014 6:07 PM

All replies

  • What's the RST coming from the client look like in both cases?

    Developer Security MVP | www.syfuhs.net

    Thursday, January 30, 2014 6:22 PM
  • They are the same in both cases. Retrieved with this code.

    // use the correct binding!
    WSTrustChannelFactory factory = new WSTrustChannelFactory(
    	new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
    	"https://servername/adfs/services/trust/13/usernamemixed");
    
    factory.TrustVersion = TrustVersion.WSTrust13;
    
    // for the moment just username password
    factory.Credentials.UserName.UserName = user;
    factory.Credentials.UserName.Password = password;
    
    var rst = new RequestSecurityToken
    {
       RequestType = RequestTypes.Issue,
    	AppliesTo = new EndpointAddress(“RP_URLOfGWIdentifier”),
    	KeyType = KeyTypes.Bearer,
    	TokenType = "urn:oasis:names:tc:SAML:2.0:assertion"
    };               
    
    IWSTrustChannelContract channel = factory.CreateChannel();
    RequestSecurityTokenResponse rstr;
    SecurityToken token = channel.Issue(rst, out rstr);
    


    • Edited by MEssE Friday, January 31, 2014 8:11 PM
    Friday, January 31, 2014 8:10 PM
  • Hi,

    I am experiencing the same issue when using ADFS with WIF and not having a recipient included with the SubjectConfirmationData. Were you able to determine how to get it to be included?

    Thanks,

    Justin

    Wednesday, February 12, 2014 2:45 PM
  • I've found some sort of Workaround for this:

    See this question

    It's a bit ugly, but it works...


    Augusto Ruiz :: http://geeks.ms/blogs/aruiz

    Wednesday, July 16, 2014 9:25 AM