locked
TokenType value in SecurityTokenReference element (SAML Token Profile 1.1) RRS feed

  • Question

  • I have just noticed that when signing a message with a SAML 2.0 Token using Geneva, in the <SecurityTokenReference> element the TokenType attribute is specified using the URI "urn:oasis:names:tc:SAML:2.0:assertion".

    However, version 1.1 of the SAML Token Profile (section 3.4) states that the URI that MUST be used is "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".

    Is this by design? Is there a configuration element that I am missing to specify that this URI will be used?

    Many thanks for any help on this.


    YoY
    Thursday, November 5, 2009 10:12 AM

Answers

All replies

  • This looks like a bug. I noticed this discrepancy also when comparing existing SAML 2.0 tokens we process and the tokens created by WIF.

    In the WriteKeyIdentifierClause method of the Saml2SecurityTokenHandler class, the following code fragment exists:-

    writer.WriteStartElement("SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    ...
    writer.WriteAttributeString("TokenType", "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "urn:oasis:names:tc:SAML:2.0:assertion");
    writer.WriteStartElement("KeyIdentifier", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    writer.WriteAttributeString("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
    ...
    writer.WriteEndElement();
    writer.WriteEndElement();
    
      

    Probably need clarification from the identity team as to whether this issue is addressed in an upcoming WIF release.
    Regards Wilko31
    Friday, November 6, 2009 12:00 PM
  • Hi,

    I checked the RC bits today and this bug appears to have been addressed.

    writer.WriteAttributeString("TokenType", "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");

    Regards Wilko31
    Monday, November 9, 2009 6:45 AM
  • Wilko,

    Thank you for looking into this. I thought it would be a bug. I raised it because I have been hugely impressed with Microsoft's acceptance of, and adherence to, open standards, and thought they would want to know about this one!

    Regards,


    YoY
    Monday, November 9, 2009 8:49 AM