locked
Unsupported transform or canonicalization algorithm RRS feed

  • Question

  • User1110417307 posted

    Hello -

    I am working on an interoperability issue concerning validation of digital signature on a referenced SAML assertion in a SOAP message produced by a Java framework and consumed by a .NET framework. The client framework is .NET 4.5. The provider framework uses Apache WSS4J (with OpenSAML libraries). The SAML confirmation method is Sender-Vouches. The SAML assertion itself is referenced in the SOAP message using the wsse:SecurityTokenReference element with a KeyIdentifier element. We have determined through testing that the error is caused by use of the "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" algorithm in the transforms on the SAML reference. I am aware of KB 974842 and hotfix for what seems to be the same issue in the .NET 3.5 framework (http://support.microsoft.com/kb/974842). I am confident that the WSS4J framework is producing a SAML assertion that conforms with OASIS specifications. My questions:

    1. Was the hotfix ported to later versions of the .NET framework?

    2. Does the .NET 4.5 framework support use of the STR-Transform algorithm to resolve the SAML assertion from a reference for verification of the message-level signature on the assertion?

    Thank you for your help.

    Tuesday, June 3, 2014 7:04 PM

All replies

  • User1110417307 posted
    Thank you for the links. For a .NET client to consume a SOAP message bound to a signed SAML identity by reference, does a custom binding with useStrTransform="true" need to be defined in web.config?
    Friday, June 6, 2014 8:01 PM
  • User1110417307 posted

    Over the past couple weeks I have received confirmation from multiple sources that the .NET XML classes do not support a .NET client consumer of the STR-Transform algorithm specified in the OASIS Web Services Security SAML Token Profile. I would welcome input from anyone who has found a satisfactory standards-based solution for integrating a Java message producer and a .NET client consumer using the SAML Token Profile. Thank you.

    Monday, June 23, 2014 1:30 PM