Hi,
my scenario: I want to authenticate at an SSL secured WS endpoint with a SAML 1.1 assertion having an asymmetric key. The STS runs on SSL as well. Authentication Method here is UsernameToken.
Here's my endpoint binding:
<binding name="EP">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenOverTransport"
requireDerivedKeys="true" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<issuedTokenParameters keySize="0" keyType="AsymmetricKey" tokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="
https://wss-w2003-dev:9011/STS"
binding="customBinding" bindingConfiguration="STS" />
<issuerMetadata address="
https://wss-w2003-dev:9011/STS/mex" />
</issuedTokenParameters>
<secureConversationBootstrap authenticationMode="AnonymousForCertificate"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
</security>
<httpsTransport />
</binding>
It's referencing the STS binding which can be found here:
<binding name="STS">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security defaultAlgorithmSuite="Default" authenticationMode="UserNameOverTransport"
requireDerivedKeys="false" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="true">
<issuedTokenParameters>
<issuer address="">
<identity>
<certificateReference x509FindType="FindBySerialNumber" findValue="133ab09100000000000c" />
</identity>
</issuer>
</issuedTokenParameters>
<secureConversationBootstrap authenticationMode="UserNameOverTransport" />
</security>
<httpsTransport authenticationScheme="Anonymous" keepAliveEnabled="false"
requireClientCertificate="false" />
</binding>
The client message to the STS looks fine. That means that the created RSA key pair is inside the RST. But on the STS side I get an error
Message security verification failed. ---> System.InvalidOperationException: Supporting token signatures not expected.
How can I get my scenario running? I can even switch to certificates if this is needed.
Regards,
Mathias