none
How to use issuedtokenmixedasymmetricbasic256sha256 endpoint of ADFS? RRS feed

  • Question

  • I don't see ADFS category in MSDN, so I can only ask the question to this Forum which I think the most related...

    I've got 2 Relying Party Trusts (App1, App2) configured in ADFS, after the user's authentication following the SAML Web flow, finally App1 got a SAML Token: SamlToken1.

    The current situation is, the user's browser cannot visit App2 due to a firewall, so the App2 cannot get a SAML token.

    The solution I thought was using the WS-Trust through the issuedtokenmixedasymmetricbasic256sha256 Endpoint ADFS provided:

    Step 1. Make the App1 act as a WS-Trust client, send a RST(Request Security Token) to ADFS (endpoint issuedtokenmixedasymmetricbasic256sha256), with the SAMLToken1 in the SOAP security header, set the ApplyTo as App2.

    Step 2. ADFS returns an encrypted SAML assertion within a RSTR to App1

    Step 3. App1 sends another RST to App2, set the encrypted SAML assertion as the security header.

    Step 4. App2 can get the SAML token.

    When doing the 1st step ADFS returns "An error occurred when verifying security for the message", the trace log of ADFS has given only "Token of type 'urn:oasis:names:tc:SAML:2.0:assertion' got successfully authenticated", no further log shown in ADFS.

    I'm using SOAP UI to make the SOAP calls, I want to know how to use issuedtokenmixedasymmetricbasic256sha256 to send ADFS a SAML token for exchaning another SAML token.

    Thanks in advance!

    RST (Name space changed due to links limitation):

    <soap:Envelope xmlns:soap="soap-envelope" xmlns:a="addressing" xmlns:ns="/ws-trust/200512">
        <soap:Header>
            <a:Action soap:mustUnderstand="1">ws-sx/ws-trust/200512/RST/Issue</a:Action>
            <a:To soap:mustUnderstand="1">ADFS_URL/adfs/services/trust/13/issuedtokenasymmetricbasic256sha256</a:To>
            <o:Security soap:mustUnderstand="1" xmlns:o="wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7d723310-961e-417a-bb94-ee32dad0a48c" IssueInstant="2016-11-22T06:03:43.454Z" Version="2.0">**SAML Token 1</Assertion>
            </o:Security>
        </soap:Header>
       <soap:Body>
            <trust:RequestSecurityToken xmlns:trust="**">
                <wsp:AppliesTo xmlns:wsp="schemas.xmlsoap.org/ws/2004/09/policy">
                    <a:EndpointReference>
                        <a:Address>App2</a:Address>
                    </a:EndpointReference>
                </wsp:AppliesTo>
                <trust:KeyType>ws-trust/200512/Bearer</trust:KeyType>
                <trust:RequestType>200512/Issue</trust:RequestType>
                <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
            </trust:RequestSecurityToken>
       </soap:Body>
    </soap:Envelope>
    Wednesday, November 23, 2016 4:21 AM