orouit

Hi,

I have developed a STS on a device that generates a SAML Assertion
which is signed. I have checked this XML assertion with an original
created by WCF with the same parameters. I'm willing to use this
SAML/RSTR using a WCF proxy but I'm building the RSTR/SAML without
using a .NET framework on PC, so I cannot use any class of WCF to build
this RSTR/SAML, I get a XML text representation.

They perfectly match (Digest and Signature are perfectly the same).

I can import this SAML when it's not signed in the SamlAssertion using
ReadXml method, then I had the SigningCredential and it works perfectly.

However if I import the same way the Signed XML it is imported but the
RSTR built with this SAML is rejected by WCF.

I found out that when I import the Signed XML, the field
SigningCredentials is not initialized by the import method, while the
signature is verified. I decompiled the code of WCF and apparently the
import of the XML assertion doesn't initialize this filed, which causes
it to be rejected at WS-Trust level of WCF.

Could anyone of MS tell if this is a bug in the code of
SamlAssertion.ReadSignature or if there is a way to do it that works

In the same maner I built a complete RSTR including the signed
SAMLToken, that I could verified with the equivalent using WCF and it
is also rejected by WCF after I construct a Message object using the
CreateMessage method to import the XML data.
This worked with the February CTP with a different SAML token using
Combined Entropy as Proof-of-Holder but doesn't work anymore with the
May.

Anyone out there is trying to do some interoperation work with WCF and
InfoCard.
Thks & Rgds
Olivier Rouit
Gemalto
Advanced Token

PS: I also posted this in an old Indigo forum but no answer




Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Gudge

Hi Oliver,

Can you clarify what you mean by 'I can import this SAML'

Thanks

Gudge





Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

orouit

Hi,

I generate an SAML assertion as an Xml string and I'm trying to load it in the SamlAssertion class.

Here is the code I use.

string myAssertion = GemplusIssuer.IssueSAMLToken(assertId, identityKeyIdentifier, supportingClaims, context.ServiceInstance.ServiceUri.AbsoluteUri, issueInstant.AddHours(-2), base.TokenLifetime, signSaml);

StreamReader reader = new StreamReader(new MemoryStream(ASCIIEncoding.ASCII.GetBytes(myAssertion.ToCharArray())));
XmlDictionaryReader dictRead = XmlDictionaryReader.CreateDictionaryReader(new XmlTextReader(reader));
SamlSerializer ser = new SamlSerializer();
WSSecurityTokenSerializer keySer = new WSSecurityTokenSerializer();
SecurityContextSecurityTokenResolver tokenRes = new SecurityContextSecurityTokenResolver(4096, true);

SamlAssertion assertion = ser.LoadAssertion(dictRead, keySer, tokenRes);

if (!signSaml) // if set to true myAssertion is signed at generation, otherwise it is not signed
{
assertion.SigningCredentials = issuerCredentials; // Assertion is not signed, give the credentials
}

internalClause = new SamlAssertionKeyIdentifierClause(assertion.AssertionId);
externalClause =
new SamlAssertionKeyIdentifierClause(assertion.AssertionId);

SamlSecurityToken token = new SamlSecurityToken( assertion );
return token;

This code is extracted from the method GenerateIssuedToken of the class Microsoft.ServiceModel.Samples.SecurityTokenServices.SamlSecurityTokenIssuer

I modified the original code to generate my own SAML assertion.

As I said in my previous post, when I generate a non-signed assertion it works fine, if my assertion is signed (and strictly the same as if the code of the sample was making it) the LoadAssertion works but the SigningCredential field is null. The SamlSecurityToken instance is used by the sample to build the complete RSTR but it is rejected when it is Encrypted.

The call to WriteToken of SecurityTokenSerializer sends the following exception: No Signing Credentials has been set for the SAML token. Cannot create unsigned SAML tokens. Please set a valid signing credentials.

I decompiled the code of LoadAssertion and I didn't see any assignement of the SigningCredential when the Xml data is loaded. However I could see that the signature is verified with the certficate I provide in the KeyInfo element. Is there something I didn't see and that would allow to load a Signed XML in the SamlAssertion object Maybe in the July CTP that I haven't installed yet. The sample we are using doesn't work anymore with the June CTP, this is why we still use the May CTP. This sample was taken from the MIX conference VPC and was given by Philippe Beraud of MS France.

Thks
Olivier






Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Bob Owen

Have you had an answer to this problem
or
Could someone give an answer.

I'm experiencing the same problem.

I assume that the SigningCredentials isn't populated, as this would be used to sign the SAML and it is already signed.

Presumably the bug is that it doesn't allow the SigningCredentials to be null when the SAML is already signed.





Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

orouit

Hi,

I didn't get any answer for this and I assumed that the bug was because it was a CTP. After that I redeveloped a complete STS from scratch and I didn't try again. I developed the STS tat way beacause it runs in a MF CLR that doesn't implement WCF or WSE (not even generics...). Import a SAM token in WCF was an intermediate step for me, so I bypassed it.

I decompiled the code and I found out that the credentials were not extracted from the XML, that's why it was not working. I tried to give the SigningCredential seperarteIy but even though it was not working. .

Are you using the release version of WCF I thought that since the July CTP there was no more support for RST/RSTR in WCF.

Olivier






Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Govind Ramanathan

Hi Olivier,

The SAML Assertion ReadXml does not populate the SigningCredentials when reading in an Assertion. When your STS issues a signed SAML do you know the credentials it uses If so can you remove the if (!signSaml) check in your code and assign SigningCredentials to the SAMLAssertion always

Thanks,

Govind






Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Bob Owen

Thanks for the quick responses.

I'm using the release version.

The SAML is being created and signed by a separate STS.

I can't set the SigningCredentials as I don't have the private key of the STS (nor should I have).

Surely, this is the way this should work normally.
If the client could sign the SAML itself, the whole trust relationship is broken.

All, the SamlAssertion needs to do, is store the signature when it is de-serialised (which I believe it does).
When it is then serialised back out to xml, it should recognise that it already has a signature and write it out into the xml.

Cheers,
Bob




Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Govind Ramanathan - MSFT

Hi Bob,

Yes, you are right. SamlAssertion does store the signature it reads and it should be using that while serializing the SAML out. This is a known issue and we are planning to fix this for the next upcoming release. Thank you for your feedback!

In the mean time if you want to re-serialize a received SAML token, you can do it with some custom code. Take a look at http://blogs.msdn.com/govindr/archive/2006/10/24/re-serialize-saml-token.aspx.

Thanks,

Govind






Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Bob Owen

Thanks Govind,

Thought it must be a bug.

I'll try using your example to store and replay the original xml.

We've already got a lot of the custom classes because we had to work around the bug where SAML attributes can't contain XML.
We've written our own XmlSamlAttribute to hanlde this.

Cheers,
Bob




Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Govind Ramanathan - MSFT

Hi Bob,

SAML schema is very extensible. We decided to support the well-defined ones out-of-the-box and provide extensibility points to help the open schema model. The issue with SAML attributes is not a bug. You can add arbitrary XML into any SAML element, but the question is how will WCF handl this out-of-the-box. How to make sense out of this How to differentiate this from incorrect schema and so on. Your solution to write custom SAMLAttribute is the correct solution here.

Thanks,

Govind






Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Bob Owen

Hi Govind,

Once we fixed the serialisation problem it all worked.

However I implemented thing slightly differently to your example.

Instead of creating a new Token Serialiser, I did the following:

In the Custom Saml Serialiser I overrode WriteToken like this:

public override void WriteToken(SamlSecurityToken token, XmlWriter writer, SecurityTokenSerializer keyInfoSerializer) {
XmlDictionaryWriter dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer);
token.Assertion.WriteXml(dictionaryWriter, this, keyInfoSerializer);
}

and in the Customer Token Manager I overrode CreateSecurityTokenSerializer like this:

public override SecurityTokenSerializer CreateSecurityTokenSerializer(SecurityTokenVersion version) {
return new WSSecurityTokenSerializer(SecurityVersion.WSSecurity11, true, new CustomSamlSerializer(), null, null);
}

this is basically a lift from the framework code excpet that I pass in our new Saml Serialiser. Also, I can't do the down cast to MessageSecurityTokenVersion because it is Internal, which is pretty annoying.
I will have to check that I am using the correct thing for the first two parameters.

Does this solution look OK

Cheers,
Bob





Re: Windows Communication Foundation (Indigo) Import of a Signed SAML assertion in SamlAssertion class (May CTP)

Govind Ramanathan - MSFT

Hi Bob,

That looks fine. I guess you have over written LoadAssertion method of the Custom SAML Assertion too, right

- Govind