office365 - WIF: "The signing token Generic XML token ... has no keys" -


for customer trying token microsoftonline (office 365) using adfs onprem. in short:

  1. request token onprem sts (adfs)
  2. send received token federated sts (microsoftonline)

now, have working code sends hardcoded soap messages adfs & microsoftonline. trying refactor code use wif, i’m having hard time getting step 2 work. can manage step 1 fine, when try call microsoftonline following error:

an unhandled exception of type 'system.invalidoperationexception' occurred in mscorlib.dll

additional information: signing token generic xml token:

validfrom: 09/30/2015 13:25:40

validto: 09/30/2015 14:25:40

internaltokenreference: samlassertionkeyidentifierclause(assertionid = '_622096af-9cb5-4b19-b69d-5d60639c16e3')

externaltokenreference: samlassertionkeyidentifierclause(assertionid = '_622096af-9cb5-4b19-b69d-5d60639c16e3')

token element: (assertion, urn:oasis:names:tc:saml:1.0:assertion)

has no keys. security token used in context requires perform cryptographic operations, token contains no cryptographic keys. either token type not support cryptographic operations, or particular token instance not contain cryptographic keys. check configuration ensure cryptographically disabled token types (for example, usernamesecuritytoken) not specified in context requires cryptographic operations (for example, endorsing supporting token).

here code have far. error thrown when calling channel.issue.

public static securitytoken getrststoken(securitytoken idptoken) {     var binding = new issuedtokenwstrustbinding2();     binding.securitymode = securitymode.transportwithmessagecredential;      var factory = new wstrustchannelfactory(         binding,         "https://login.microsoftonline.com/rst2.srf");     factory.trustversion = trustversion.wstrust13;     factory.credentials.supportinteractive = false;     factory.credentials.useidentityconfiguration = true;      var rst = new requestsecuritytoken     {         requesttype = requesttypes.issue,         appliesto = new endpointreference("urn:crmemea:dynamics.com"),     };      var channel = factory.createchannelwithissuedtoken(idptoken);     securitytoken returnvalue = channel.issue(rst);     return returnvalue; }

the call getrststoken preceded call method gettoken. output gettoken passed getrststoken. used fiddler check soap messages , identical soap messages send in current - working - code. thing different fields expect (id's, timestamps, etc).

public static securitytoken gettoken(string username, string password) {     // windows authentication on transport security     var factory = new wstrustchannelfactory(         new usernamewstrustbinding(securitymode.transportwithmessagecredential),         "https://sts.windesheim.nl/adfs/services/trust/13/usernamemixed");     factory.trustversion = trustversion.wstrust13;     factory.credentials.username.username = username;     factory.credentials.username.password = password;     factory.credentials.useidentityconfiguration = true;      var rst = new requestsecuritytoken     {         requesttype = requesttypes.issue,         appliesto = new endpointreference("urn:federation:microsoftonline"),         keytype = keytypes.bearer     };      var channel = factory.createchannel();     securitytoken returnvalue = channel.issue(rst);     return returnvalue; }

note: usernamewstrustbinding , issuedtokenwstrustbinding thinktecture.identitymodel (https://github.com/identitymodel/thinktecture.identitymodel.45)

for reference, here -working- soap messages:

  1. to onprem sts

soap request

<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">     <s:header>         <a:action s:mustunderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/rst/issue</a:action>         <a:messageid>urn:uuid:755c37dd-eee4-4e7e-a9e0-be3c6289b46a</a:messageid>         <a:replyto>             <a:address>http://www.w3.org/2005/08/addressing/anonymous</a:address>         </a:replyto>         <a:to s:mustunderstand="1">[sts_url]</a:to>         <o:security s:mustunderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">             <u:timestamp u:id="_0">                 <u:created>2015-06-10t08:21:44.804z</u:created>                 <u:expires>2015-06-10t08:26:44.804z</u:expires>             </u:timestamp>             <o:usernametoken u:id="uuid-3e6d680b-4cb1-4c38-aff8-93c8fa8bd0c6-1">                 <o:username>[username]</o:username>                 <o:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#passwordtext">[password]</o:password>             </o:usernametoken>         </o:security>     </s:header>     <s:body>         <trust:requestsecuritytoken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">             <wsp:appliesto xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">                 <a:endpointreference>                     <a:address>urn:federation:microsoftonline</a:address>                 </a:endpointreference>             </wsp:appliesto>             <trust:keytype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/bearer</trust:keytype>             <trust:requesttype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/issue</trust:requesttype>         </trust:requestsecuritytoken>     </s:body> </s:envelope>

soap response 

<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">     <s:header>         <a:action s:mustunderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/rstrc/issuefinal</a:action>         <a:relatesto>urn:uuid:755c37dd-eee4-4e7e-a9e0-be3c6289b46a</a:relatesto>         <o:security s:mustunderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">             <u:timestamp u:id="_0">                 <u:created>2015-06-10t08:21:45.097z</u:created>                 <u:expires>2015-06-10t08:26:45.097z</u:expires>             </u:timestamp>         </o:security>     </s:header>     <s:body>         <trust:requestsecuritytokenresponsecollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">             <trust:requestsecuritytokenresponse>                 <trust:lifetime>                     <wsu:created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-06-10t08:21:45.082z</wsu:created>                     <wsu:expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2015-06-10t09:21:45.082z</wsu:expires>                 </trust:lifetime>                 <wsp:appliesto xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">                     <wsa:endpointreference xmlns:wsa="http://www.w3.org/2005/08/addressing">                         <wsa:address>urn:federation:microsoftonline</wsa:address>                     </wsa:endpointreference>                 </wsp:appliesto>                 <trust:requestedsecuritytoken>                     <saml:assertion majorversion="1" minorversion="1" assertionid="_68133973-ed12-49d7-9f43-421bcfe43162" issuer="http://windesheim.nl/adfs/services/trust/" issueinstant="2015-06-10t08:21:45.097z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion">                         <saml:conditions notbefore="2015-06-10t08:21:45.082z" notonorafter="2015-06-10t09:21:45.082z">                             <saml:audiencerestrictioncondition>                                 <saml:audience>urn:federation:microsoftonline</saml:audience>                             </saml:audiencerestrictioncondition>                         </saml:conditions>                         <saml:attributestatement>                             <saml:subject>                                 <saml:nameidentifier format="urn:oasis:names:tc:saml:1.1:nameid-format:unspecified">[..]saml:nameidentifier>                                 <saml:subjectconfirmation>                                     <saml:confirmationmethod>urn:oasis:names:tc:saml:1.0:cm:bearer</saml:confirmationmethod>                                 </saml:subjectconfirmation>                             </saml:subject>                             <saml:attribute attributename="upn" attributenamespace="http://schemas.xmlsoap.org/claims">                                 <saml:attributevalue>[username]</saml:attributevalue>                             </saml:attribute>                             <saml:attribute attributename="immutableid" attributenamespace="http://schemas.microsoft.com/liveid/federation/2008/05">                                 <saml:attributevalue>[..]saml:attributevalue>                             </saml:attribute>                         </saml:attributestatement>                         <saml:authenticationstatement authenticationmethod="urn:oasis:names:tc:saml:1.0:am:password" authenticationinstant="2015-06-10t08:21:45.082z">                             <saml:subject>                                 <saml:nameidentifier format="urn:oasis:names:tc:saml:1.1:nameid-format:unspecified">[..]</saml:nameidentifier>                                 <saml:subjectconfirmation>                                     <saml:confirmationmethod>urn:oasis:names:tc:saml:1.0:cm:bearer</saml:confirmationmethod>                                 </saml:subjectconfirmation>                             </saml:subject>                         </saml:authenticationstatement>                         <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                             <ds:signedinfo>                                 <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>                                 <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                                 <ds:reference uri="#_68133973-ed12-49d7-9f43-421bcfe43162">                                     <ds:transforms>                                         <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>                                         <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>                                     </ds:transforms>                                     <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>                                     <ds:digestvalue[..]</ds:digestvalue>                                 </ds:reference>                             </ds:signedinfo>                             <ds:signaturevalue>[..]</ds:signaturevalue>                             <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">                                 <x509data>[..]</x509certificate>                                 </x509data>                             </keyinfo>                         </ds:signature>                     </saml:assertion>                 </trust:requestedsecuritytoken>                 <trust:requestedattachedreference>                     <o:securitytokenreference k:tokentype="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#samlv1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">                         <o:keyidentifier valuetype="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#samlassertionid">[some_guid]</o:keyidentifier>                     </o:securitytokenreference>                 </trust:requestedattachedreference>                 <trust:requestedunattachedreference>                     <o:securitytokenreference k:tokentype="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#samlv1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">                         <o:keyidentifier valuetype="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#samlassertionid[some_guid]</o:keyidentifier>                     </o:securitytokenreference>                 </trust:requestedunattachedreference>                 <trust:tokentype>urn:oasis:names:tc:saml:1.0:assertion</trust:tokentype>                 <trust:requesttype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/issue</trust:requesttype>                 <trust:keytype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/bearer</trust:keytype>             </trust:requestsecuritytokenresponse>         </trust:requestsecuritytokenresponsecollection>     </s:body> </s:envelope>
  1. to federated sts

soap request 

<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">     <s:header>         <a:action s:mustunderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/rst/issue</a:action>         <a:messageid>urn:uuid:0c1704ed-2ef3-4718-87fa-97734518b13f</a:messageid>         <a:replyto>             <a:address>http://www.w3.org/2005/08/addressing/anonymous</a:address>         </a:replyto>         <a:to s:mustunderstand="1">https://login.microsoftonline.com/rst2.srf</a:to>         <o:security s:mustunderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">             <u:timestamp u:id="_0">                 <u:created>2015-06-10t08:21:45.418z</u:created>                 <u:expires>2015-06-10t08:26:45.418z</u:expires>             </u:timestamp>                                 <saml:assertion majorversion="1" minorversion="1" assertionid="_68133973-ed12-49d7-9f43-421bcfe43162" issuer="http://windesheim.nl/adfs/services/trust/" issueinstant="2015-06-10t08:21:45.097z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion">                         <saml:conditions notbefore="2015-06-10t08:21:45.082z" notonorafter="2015-06-10t09:21:45.082z">                             <saml:audiencerestrictioncondition>                                 <saml:audience>urn:federation:microsoftonline</saml:audience>                             </saml:audiencerestrictioncondition>                         </saml:conditions>                         <saml:attributestatement>                             <saml:subject>                                 <saml:nameidentifier format="urn:oasis:names:tc:saml:1.1:nameid-format:unspecified">[..]saml:nameidentifier>                                 <saml:subjectconfirmation>                                     <saml:confirmationmethod>urn:oasis:names:tc:saml:1.0:cm:bearer</saml:confirmationmethod>                                 </saml:subjectconfirmation>                             </saml:subject>                             <saml:attribute attributename="upn" attributenamespace="http://schemas.xmlsoap.org/claims">                                 <saml:attributevalue>[username]</saml:attributevalue>                             </saml:attribute>                             <saml:attribute attributename="immutableid" attributenamespace="http://schemas.microsoft.com/liveid/federation/2008/05">                                 <saml:attributevalue>[..]saml:attributevalue>                             </saml:attribute>                         </saml:attributestatement>                         <saml:authenticationstatement authenticationmethod="urn:oasis:names:tc:saml:1.0:am:password" authenticationinstant="2015-06-10t08:21:45.082z">                             <saml:subject>                                 <saml:nameidentifier format="urn:oasis:names:tc:saml:1.1:nameid-format:unspecified">[..]</saml:nameidentifier>                                 <saml:subjectconfirmation>                                     <saml:confirmationmethod>urn:oasis:names:tc:saml:1.0:cm:bearer</saml:confirmationmethod>                                 </saml:subjectconfirmation>                             </saml:subject>                         </saml:authenticationstatement>                         <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                             <ds:signedinfo>                                 <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>                                 <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                                 <ds:reference uri="#_68133973-ed12-49d7-9f43-421bcfe43162">                                     <ds:transforms>                                         <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>                                         <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>                                     </ds:transforms>                                     <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>                                     <ds:digestvalue[..]</ds:digestvalue>                                 </ds:reference>                             </ds:signedinfo>                             <ds:signaturevalue>[..]</ds:signaturevalue>                             <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">                                 <x509data>[..]</x509certificate>                                 </x509data>                             </keyinfo>                         </ds:signature>                     </saml:assertion>         </o:security>     </s:header>     <s:body>         <t:requestsecuritytoken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">             <wsp:appliesto xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">                 <a:endpointreference>                     <a:address>urn:crmemea:dynamics.com</a:address>                 </a:endpointreference>             </wsp:appliesto>             <t:requesttype>http://schemas.xmlsoap.org/ws/2005/02/trust/issue</t:requesttype>         </t:requestsecuritytoken>     </s:body> </s:envelope>

for future googlers, not op:

i had created saml bearer token , trying exchange jwt adfs. needed set keytype property avoid error:

var binding = new issuedtokenwstrustbinding(); binding.securitymode = securitymode.transportwithmessagecredential; binding.keytype = securitykeytype.bearerkey;   // set ws-trust channel factory var factory = new wstrustchannelfactory(binding, new endpointaddress(options.adfsissuedtokenmixedendpoint)) {     trustversion = trustversion.wstrust13 };

Comments

Post a Comment

Popular posts from this blog

java - WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/board/] in DispatcherServlet with name 'appServlet' -

this question has answer here: why spring mvc respond 404 , report “no mapping found http request uri […] in dispatcherservlet”? 3 answers i trying making simple bbs i'm encountering following error, warn : org.springframework.web.servlet.pagenotfound - no mapping found http request uri [/board/] in dispatcherservlet name 'appservlet' i have tried solve error many times, have failed. how can solve error? here web.xml, controllerand , servlet-context. my web.xml <?xml version="1.0" encoding="utf-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-nam...
Read more

1111. appearing after print sequence - php -

morning, i have code takes string of shoe sizes, explodes , puts in table. code works , info displayed correctly on page after table there few 1's after table. i'm confused this. so table looks (in columns of 3 on webpage) available in following sizes: 3 4 5 6 9 10 111 here's codes, purpose of example $x = 3|4|6|10|9 function get_sizes_pipe($x) { $counter = 0; $splits = explode("|",$x); asort($splits); $x = print "<table class='greentable'>"; $x .= print "<thead><tr><th scope='col' colspan='3' abbr='starter'>available in following sizes:</th></tr></thead><tbody><tr>"; foreach ($splits $split) { $entry = print "<td>".$split."</td>"; if($counter == 2){ $entry .= print "</tr><tr>"; $counter =0; } else { $counter++; ...
Read more

android - How to create dynamically Fragment pager adapter -

i unable create dynamic layout each tabs, able create tabs dynamically constructor(public mypageradapter(fragmentmanager fm , int nooftabs)), coudn't inflate view each tabs creating each fragment should dyanmic. public class mypageradapter extends fragmentpageradapter { private final string[] titles = { "categories", "home", "top paid", "top free", "top grossing", "top new paid", "top new free", "trending" }; int nooftabs; **public mypageradapter(fragmentmanager fm , int nooftabs) { super(fm); this.nooftabs = nooftabs; }** /*public mypageradapter(fragmentmanager fm) { super(fm); }*/ @override public charsequence getpagetitle(int position) { return titles[position]; } @override public int getcount() { ...
Read more