locked
Issuing Asymmetric SAML 1.1 assertion but the error is: Supporting token signatures not expected RRS feed

  • Question

  • Hi, 

    my scenario: I want to authenticate at an SSL secured WS endpoint with a SAML 1.1 assertion having an asymmetric key. The STS runs on SSL as well. Authentication Method here is UsernameToken.

    Here's my endpoint binding:

    <binding name="EP">
              <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
              <security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenOverTransport"
                requireDerivedKeys="true" messageProtectionOrder="SignBeforeEncrypt"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                requireSecurityContextCancellation="false">
                <issuedTokenParameters keySize="0" keyType="AsymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                  <issuer address="https://wss-w2003-dev:9011/STS"
                    binding="customBinding" bindingConfiguration="STS" />
                  <issuerMetadata address="https://wss-w2003-dev:9011/STS/mex" />
                </issuedTokenParameters>
                <secureConversationBootstrap authenticationMode="AnonymousForCertificate"
                  messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
              </security>
              <httpsTransport />
    </binding>

    It's referencing the STS binding which can be found here:

    <binding name="STS">
              <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
              <security defaultAlgorithmSuite="Default" authenticationMode="UserNameOverTransport"
                requireDerivedKeys="false" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                requireSecurityContextCancellation="true">
                <issuedTokenParameters>
                  <issuer address="">
                    <identity>
                      <certificateReference x509FindType="FindBySerialNumber" findValue="133ab09100000000000c" />
                    </identity>
                  </issuer>
                </issuedTokenParameters>
                <secureConversationBootstrap authenticationMode="UserNameOverTransport" />
              </security>
              <httpsTransport authenticationScheme="Anonymous" keepAliveEnabled="false"
                requireClientCertificate="false" />
    </binding>

    The client message to the STS looks fine. That means that the created RSA key pair is inside the RST. But on the STS side I get an error

    Message security verification failed. ---&gt; System.InvalidOperationException: Supporting token signatures not expected.

    How can I get my scenario running? I can even switch to certificates if this is needed.

    Regards,
    Mathias
    Thursday, November 6, 2008 1:31 PM

Answers