Remove From My Forums

Issuing Asymmetric SAML 1.1 assertion but the error is: Supporting token signatures not expected

Question
0

Sign in to vote

Hi,

my scenario: I want to authenticate at an SSL secured WS endpoint with a SAML 1.1 assertion having an asymmetric key. The STS runs on SSL as well. Authentication Method here is UsernameToken.

Here's my endpoint binding:

<binding name="EP">
          <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
          <security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenOverTransport"
            requireDerivedKeys="true" messageProtectionOrder="SignBeforeEncrypt"
            messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
            requireSecurityContextCancellation="false">
            <issuedTokenParameters keySize="0" keyType="AsymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
              <issuer address="https://wss-w2003-dev:9011/STS"
                binding="customBinding" bindingConfiguration="STS" />
              <issuerMetadata address="https://wss-w2003-dev:9011/STS/mex" />
            </issuedTokenParameters>
            <secureConversationBootstrap authenticationMode="AnonymousForCertificate"
              messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
          </security>
          <httpsTransport />
</binding>

It's referencing the STS binding which can be found here:

<binding name="STS">
          <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
          <security defaultAlgorithmSuite="Default" authenticationMode="UserNameOverTransport"
            requireDerivedKeys="false" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
            messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
            requireSecurityContextCancellation="true">
            <issuedTokenParameters>
              <issuer address="">
                <identity>
                  <certificateReference x509FindType="FindBySerialNumber" findValue="133ab09100000000000c" />
                </identity>
              </issuer>
            </issuedTokenParameters>
            <secureConversationBootstrap authenticationMode="UserNameOverTransport" />
          </security>
          <httpsTransport authenticationScheme="Anonymous" keepAliveEnabled="false"
            requireClientCertificate="false" />
</binding>

The client message to the STS looks fine. That means that the created RSA key pair is inside the RST. But on the STS side I get an error

Message security verification failed. ---> System.InvalidOperationException: Supporting token signatures not expected.

How can I get my scenario running? I can even switch to certificates if this is needed.

Regards,
Mathias

Thursday, November 6, 2008 1:31 PM

Answers

0

Sign in to vote
Hi Mathias,

The key size that you're using looks to be wrong. Is there any reason you set it to "0" bits?

Thanks,
Abhijeet.
- Proposed as answer by Bo Chen at MicrosoftModerator Friday, November 7, 2008 12:50 AM
- Marked as answer by Marc GoodnerMicrosoft employee Monday, April 13, 2009 4:18 PM
Thursday, November 6, 2008 6:27 PM

Moderator

Answered by:

Issuing Asymmetric SAML 1.1 assertion but the error is: Supporting token signatures not expected

Question

Answers