none
The AudienceUri in the SamlAssertion cannot be validated. This can be resolved by making configuration changes to the 'issuedTokenAuthentication' element in the 'serviceBehaviors' section. You can add valid uris using the 'allowedAudienceUris' elemen RRS feed

  • Question

  • Hi ,

    I was getting above said error even when i added allowaudienceuri code.Please let me know what i am doing wrong

    <serviceBehaviors>

            <behavior name="CalculatorServiceBehavior">

              <!-- 
              The serviceCredentials behavior allows one to define a service certificate.
              A service certificate is used by a client to authenticate the service and provide message protection.
              This configuration references the "localhost" certificate installed during the setup instructions.
              -->
              <serviceMetadata httpGetEnabled="true" />
              <serviceCredentials>
                <!-- Set allowUntrustedRsaIssuers to true to allow self-signed, asymmetric key based SAML tokens -->
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"  >
                  <allowedAudienceUris>
                    <add allowedAudienceUri="http://localhost:54852/Service_WsFederation.svc"/>
                  </allowedAudienceUris>

                  <!--Add Alice to the list of certs trusted to issue SAML tokens -->
                  <knownCertificates>
                    <add storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="CertToken"/>
                  </knownCertificates>
                </issuedTokenAuthentication>

                <clientCertificate>
                 <!-- <certificate />-->
                  <authentication certificateValidationMode="PeerOrChainTrust"   />

                </clientCertificate>
                <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="WcfServer"/>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>

    But in wcftrace message "Message security verification failed.".Innerexception i will see this exception again

    <Message>The AudienceUri in the SamlAssertion cannot be validated.  This can be resolved by making configuration changes to the 'issuedTokenAuthentication' element in the 'serviceBehaviors' section.  You can add valid uris using the 'allowedAudienceUris' element.  This check can also be changed using the 'audienceUriMode' attribute.  At runtime setting the IssuedTokenAuthentication object's properties: AllowedAudienceUris and AudienceUriMode will have similar results.</Message>
    <StackTrace>
    at System.IdentityModel.Selectors.SamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
    at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message&amp; message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
    at System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
    </StackTrace>
    <ExceptionString>System.IdentityModel.Tokens.SecurityTokenException: The AudienceUri in the SamlAssertion cannot be validated.  This can be resolved by making configuration changes to the 'issuedTokenAuthentication' element in the 'serviceBehaviors' section.  You can add valid uris using the 'allowedAudienceUris' element.  This check can also be changed using the 'audienceUriMode' attribute.  At runtime setting the IssuedTokenAuthentication object's properties: AllowedAudienceUris and AudienceUriMode will have similar results.
       at System.IdentityModel.Selectors.SamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
       at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
       at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
       at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
       at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
       at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
       at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
       at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message&amp; message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
       at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)</ExceptionString>


    priyanka

    Wednesday, September 17, 2014 2:15 PM

All replies

  • Hi,

    For this situation, allowedAudienceUris represents a collection of target URIs for which the SamlSecurityToken security token can be targeted for in order to be considered valid by a SamlSecurityTokenAuthenticator instance.

    You should use this collection in a federated application that utilizes a security token service (STS) that issues SamlSecurityToken security tokens. When the STS issues the security token, it can specify the URI of the Web services for which the security token is intended by adding a SamlAudienceRestrictionCondition to the security token. That allows the SamlSecurityTokenAuthenticator for the recipient Web service to verify that the issued security token is intended for this Web service by specifying that this check should happen by doing the following:

    • Set the audienceUriMode attribute of <issuedTokenAuthentication> to Always or BearerKeyOnly.
    • Specify the set of valid URIs, by adding the URIs to this collection.

    For more information about Federated Security, you could refer to:

    http://msdn.microsoft.com/en-us/library/ms730908

    Regards

    Monday, September 22, 2014 5:10 AM
    Moderator
  • Hi,

    Thanks for reply.

    Actually i need saml 2.0 token in soap header.Currently i have started with Helloworld_service and Helloworld_client.

    From the below link :

    http://msdn.microsoft.com/en-us/library/ms730908.

    <message issuedTokenType= "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"> <issuer address="http://localhost/FederationSample/STS-B/STS.svc" /> <issuerMetadata address= "http://localhost/FederationSample/STS-B/STS.svc/mex" /> <requiredClaimTypes> <add claimType="http://tempuri.org:accessAuthorized" />

    I know STS is also a webservice.

    Should we need to write this(http://localhost/FederationSample/STS-B/STS.svc) service or should i need to invoke this

    please clarify this.Then i can start working on saml 2.0 bearer token

    Thanks


    priyanka

    Monday, September 22, 2014 7:19 PM