none
Exchanging SAML2 token with BinaryToken using WCF RRS feed

  • Question

  • Hi,

    I'm new to WCF and currently working with PingFederate demo product.

    The basic flow is as following:

    Client (.net console app) - makes authentication request on Identity Provider (using Username/Password credentials) and receives SAML2 Token in response.

    The second step is exchange the SAML2 token with SP - to get lightweight sso toke (simple binary token).

    PingFederate SDK provides such functionality (implemented using Microsoft.Web.Services3).

    I want to implement the same flow using WCF.

    I was able to get SAML2 token from IDP using WS2007FederationHttpBinding.

    But when ask to authenticate on SP with issued token, in response, I see (in Fiddler) that SP sends the token but I'm getting the exception "ID3135: The element 'TokenType' with namespace 'http://docs.oasis-open.org/ws-sx/ws-trust/200512' has value 'BASE64BINARY' which is not an absolute URI."

    As I understand I need to add support for BinaryToken (Custom security token) but I didn't find tutorial / explanation on such flow for the client (there are a few examples for ASP.NET) but not much information for client side implementation.

    Any help on this topic is highly appreciated.

    Thursday, February 4, 2016 10:07 AM

All replies

  • You can subclass the UserNamePasswordValidator class and override the Validate method.  This will allow you to return true or false depending on whatever criteria you set, including validating custom username/password pairs stored in your database.  I believe that there's a sample in the SDK demonstrating this.

    Also, if your application is secure then there must be a way of authenticating the caller as well as protecting the messages for every call made.  What happens be default is that there's a 'handshake' that occurs on the first call of the secure session.  This handshake will include several messages, the result of which is that there will be a symetric key exchange between the client and the server.  Once the handshake is complete, this key will be used to secure the message on all subsequent messages.  As long as the channel remains open between the client and the server you won't have to keep sending the usernametoken over and over.  If you're interested in seeing the handshake messages or the other subsequent messages, I encourage you to trace the envelopes.


    • Edited by Mankdng Nef Friday, February 5, 2016 2:46 PM
    Friday, February 5, 2016 2:44 PM
  • Thank you for your reply, my issue is the connection to STS where I need to authenticate using SAML2 token (received from the IdP) to get simple binary token.

    I'm looking for the way to add a handler for such token (from code).

    Sunday, February 7, 2016 2:12 PM
  • Hello,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, February 17, 2016 7:18 AM
    Moderator