none
Unable to read SAML 2.0 Assertion token in SOAP request received by Java client RRS feed

  • Question

  • Hi, using .NET Framework 4.5, a WCF service is unable to handle SAML 2.0 token received from a Java client over SSL.

    SAML 2.0 Assertion token in request looks like this :

    <saml:Assertion ID="j0D5E5C55ECE432F8D8A28CBF73607E55A48C9F0" IssueInstant="2014-10-30T18:17:43.976Z" Version="2.0" wsu:Id="id-8686A3C3EE681C7366141572433649126" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    	<saml:Issuer><!-- Removed --></saml:Issuer>
    	<saml:Subject>
    		<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"><!-- Removed --></saml:NameID>
    		<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
    	</saml:Subject>
    	<saml:Conditions NotBefore="2014-10-30T18:17:33.976Z" NotOnOrAfter="2014-10-30T18:17:53.976Z"/>
    	<saml:AttributeStatement>
    		<saml:Attribute Name="roles" NameFormat="http://xmlns.tibco.com/2008/10/saml">
    			<saml:AttributeValue xsi:type="xs:string"><!-- Removed --></saml:AttributeValue>
    		</saml:Attribute>
    	</saml:AttributeStatement>
    	<saml:AuthnStatement AuthnInstant="2014-10-30T18:17:43.969Z">
    		<saml:AuthnContext>
    			<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
    		</saml:AuthnContext>
    	</saml:AuthnStatement>
    </saml:Assertion>

    Exception thrown when reading the token :

    <ExceptionType>System.Xml.XmlException, System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
    <Message>Cannot read the token from the 'Assertion' element with the 'urn:oasis:names:tc:SAML:2.0:assertion' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.</Message>
    <StackTrace>
    at System.ServiceModel.Security.WSSecurityTokenSerializer.ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
    at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
    at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message&amp; message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
    at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message&amp; message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
    at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
    at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)
    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
    at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
    at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
    at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
    at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)
    at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread)
    at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread)
    at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.CompleteParseAndEnqueue(IAsyncResult result)
    at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.HandleParseIncomingMessage(IAsyncResult result)
    at System.Runtime.AsyncResult.SyncContinue(IAsyncResult result)
    at System.ServiceModel.Channels.HttpPipeline.EmptyHttpPipeline.BeginProcessInboundRequest(ReplyChannelAcceptor replyChannelAcceptor, Action dequeuedCallback, AsyncCallback callback, Object state)
    at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.ProcessHttpContextAsync()
    at System.ServiceModel.Channels.HttpChannelListener`1.BeginHttpContextReceived(HttpRequestContext context, Action acceptorCallback, AsyncCallback callback, Object state)
    at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result)
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state)
    at System.ServiceModel.AspNetPartialTrustHelpers.PartialTrustInvoke(ContextCallback callback, Object state)
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequestWithFlow(Object state)
    at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
    at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
    </StackTrace>

    Can you please tell me what's wrong with this token ?

    I cannot use wsFederationHttpBinding since the message version is Soap11, so I have to use a customBinding. Config looks like this :

            <binding name="samlBinding">
              <textMessageEncoding messageVersion="Soap11" />
              <security authenticationMode="MutualCertificateDuplex" allowInsecureTransport="true" requireDerivedKeys="false"
                        securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt"
                        messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
                <issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"></issuedTokenParameters>
              </security>
              <httpsTransport requireClientCertificate="false" />
            </binding>

    Thanks for the help.



    Thursday, October 30, 2014 4:11 PM

Answers

  • Hi Jean-Michel,

    So for your scenario, the SAML assertion is actually not used for the entire message's security and it is just carried in the message header as a security token, correct?

    If so, you might consider creating a custom security token provider to help read and write the certain security token transfered within the SOAP message.

    #How to: Create a Custom Token
    http://msdn.microsoft.com/en-us/library/ms731872(v=vs.110).aspx

    and I'd suggest you download the WCF 4.0 SDK samples and check the SAML Token Provider one which shows the code of building a custom SAML token provider to handle saml token in WCF service message. Although it is focus on the SAML token handling on client-side, you can follow the idea to apply it on service side, too.

    #SAML Token Provider
    http://msdn.microsoft.com/en-us/library/aa355062(v=vs.110).aspx

    #Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4
    http://www.microsoft.com/en-us/download/details.aspx?id=21459


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Tuesday, November 18, 2014 5:47 AM
    Moderator

All replies

  • Hi,

    For this situation, it may be a SAML Response with Encrypted Assertion which had no type definition as follows:

    The SAML received was as follows:

    <saml:EncryptedAssertion>

    when it should have been

    <saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    For more information:

    http://stackoverflow.com/questions/11265312/getting-xml-namespace-error-while-reading-a-saml2-token

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/72e2cb3d-ac24-4cd6-94ce-ecbb735ce00e/saml-20-token-type-in-delegation-scenario?forum=Geneva

    Friday, October 31, 2014 7:34 AM
  • Unfortunately it's not related to my problem. I have a SAML assertion directly in a SOAP request, not SAML Response or SAML2-Protocol related. If you loook at the assertion example posted, there is no EncryptedAssertion there.

    Thanks anyway.

    Friday, October 31, 2014 2:21 PM
  • Hi Jean-Michel Moulin,

    Since you are using .net 4.5, you can use WIF(Windows Identity Foundation) to work with SAML 2.0 token. Please refer to http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx for more details. As to WCF itself, here is a discussion about SAML 2.0, I will confirm current status internally if it is needed.

      >>  I have a SAML assertion directly in a SOAP request, not SAML Response or SAML2-Protocol related.

    As pointed out by Anders at http://stackoverflow.com/questions/6108564/problems-reading-authenticating-a-saml-assertion-in-net-using-wssecuritytokense, this complete working sample may provide some help to troubleshoot this issue.

    Also, may I know how you receive/consume the token from Java client? Based on the error message, I’d like to suggest you to ensure if the assertion XML data has been encoded twice, a similar issue and solution for your reference: http://stackoverflow.com/questions/6099467/how-to-parse-a-saml-assertion-request-in-net?lq=1.

    Should you have any further concern, could you please provide a repro project via OneDrive? It would make us to find out the root cause more conveniently.  

    Best Regards,

    Ming Xu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Saturday, November 15, 2014 4:09 AM
  • Hi,

    Thanks for your reply. Unfortunately, your examples talks about SAML 2 Protocol and SAML 2 Response in a POST, not SAML Assertion in a SOAP request. The goal we want to achieve is :
     - SOAP 1.1 over HTTPS
     - Unsigned SAML 2.0 Assertion (not in a federated environnement so not signed by any issuer)
     - Signed SOAP enveloppe (Timestamp, Assertion and Body) by the client

    The client is Tibco ActiveMatrix Service Grid. So the message is signe to be sure the request come from Tibco AMX. SAML token is used to do fine grained security. The SAML token is built by Layer7, in front of Tibco AMX.

    If I was to read the SAML Assertion myself, how can I do this ? Because I am stuck with the default WCF behavior which always give me this error and I cannot alter the SAML Assertion node since it is used to compute SOAP enveloppe signature.

    Thanks.

    Monday, November 17, 2014 9:29 PM
  • Hi Jean-Michel,

    So for your scenario, the SAML assertion is actually not used for the entire message's security and it is just carried in the message header as a security token, correct?

    If so, you might consider creating a custom security token provider to help read and write the certain security token transfered within the SOAP message.

    #How to: Create a Custom Token
    http://msdn.microsoft.com/en-us/library/ms731872(v=vs.110).aspx

    and I'd suggest you download the WCF 4.0 SDK samples and check the SAML Token Provider one which shows the code of building a custom SAML token provider to handle saml token in WCF service message. Although it is focus on the SAML token handling on client-side, you can follow the idea to apply it on service side, too.

    #SAML Token Provider
    http://msdn.microsoft.com/en-us/library/aa355062(v=vs.110).aspx

    #Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4
    http://www.microsoft.com/en-us/download/details.aspx?id=21459


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Tuesday, November 18, 2014 5:47 AM
    Moderator
  • Hi,

    Thanks for your reply. I've used those examples to make it work :
    http://msdn.microsoft.com/en-us/library/ms731872(v=vs.110).aspx
    http://bronumski.blogspot.ca/2011/11/this-has-been-hanging-around-in-my.html

    But instead of a "custom" token, I've used the Saml2SecurityToken and a wrapper of Saml2SecurityTokenHandler inside the custom serializer to read SAML 2.0 Assertion.

    Now I run into another problem with signature digest verification of the SAML 2.0 Assertion but I will make a new post for it.

    Thanks a lot !

    Wednesday, November 19, 2014 10:58 PM