I am trying to generate a soap message for a WCF service. The service is using UserNameOverTransport with message security version WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.
I got the header sample
<o:UsernameToken u:Id="uuid-7f6455d4-42ab-49fa-8b25-35427c00bb7a-1">
<o:Username>xxx#xxx.com</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyy</o:Password>
</o:UsernameToken>
The client is not going to be in .Net. Can anyone help me in figuring out how the id is generated.
If you ask this question because your authentification is not working, you likely don't need the Id label.
As we can see in this specification from xmlsoap.org website,
4.1. UsernameToken Element
/UsernameToken/#Id
A string label for this security token.
This element is just a label and its goal is just to provide identification to the UsernameToken element (you can name it with "myToken" or something else).
Related
We have an instance of Identity Server 3 which has been used for some time with various clients, some using implicit flow, others using client credentials. We now have a new requirement to integrate an iOS native app with this identity provider. I understand these days implicit flow is not recommended and public facing apps should instead be using authorization code flow. Examples of such advice are here and here.
By my understanding, authorization code flow has a step whereby a received authorization code is exchanged for JWT tokens via some back channel by supplying it alongside a client ID and secret. However, with SPAs and native apps we don't have the luxury of storing secrets. The guidance I found here would suggest I can simply omit the secret from the connect/token request, but my testing so far doesn't confirm this. So I'm stuck. To demonstrate, I've set up a client on my local instance of IS3 to test with:
{
'clientId': 'test',
'flow': 'AuthorizationCode',
'name': 'test',
'redirectUris': [ 'http://localhost:8080/' ],
'scopes': ['openid','profile']
}
I then make the following GET request to my IdP:
[ID_PROVIDER]/connect/authorize?client_id=test&redirect_uri=http%3A%2F%2Flocalhost%3A8080&scope=openid%20profile&response_type=code
This lets me sign in and returns me to my test app running at http://localhost:8080 with my authorization code in the querystring.
I now try to exchange this code for JWT tokens by POSTing to [ID_PROVIDER]/connect/token with the following body: code=[AUTH_CODE]&grant_type=authorization_code&client_id=test&redirect_uri=http%3A%2F%2Flocalhost%3A8080
But Identity Server rejects this with an HTTP 400 and invalid_client error. When I dig into its logs I see a ClientSecretValidator event with message "No client secret found". Which kind of makes sense based on my understanding outlined above, but given people are recommending using this flow for public-facing apps I must be misunderstanding something.
If anyone could clarify that'd be great, thanks.
You can't just omit the client secret. For your native case, I'd consider embedding the secret within the app. The authorize request will still have to validate the return_uri (custom URI scheme for your native app) and if that still feels insecure, you can also lean on Proof of possession (PoP) tokens (https://identityserver.github.io/Documentation/docsv2/pop/overview.html).
For a SPA app I would keep it implicit flow, I see no point in doing secrets there.
Im working with Kentor Auth Services. Im getting an error when testing the SAML integration using Kentor Sample Idp
ID1035: The SAML Assertion did not contain any
AudienceRestrictionConditions. To accept assertions without
AudienceRestrictionConditions, set
SecurityTokenHandlerConfiguration.AudienceRestriction.AudienceMode to
AudienceUriMode.Never.
Can someone let me know why im getting this error. Also I'm seeing a field called Audience. I have left it as blank since im not sure what needs to be added there I have tried adding 'Never', but on checking the source it seems like it requires an Uri.
Can someone please let me know what needs to be given in this field?
By default WIF/AuthServices checks the Audience restriction in the SAML response. To handle the error you need to do either of:
Put the EntityId of the SP in the Audience field.
Set spOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;.
I am trying to build an app in VS Pro 2012 (VB.NET) that will invoke RoyalMail's MailMark WSDL which has methods such as RetrieveActiveSupplyChains which are expecting a single parameter (request).
I have used svcutil with the /l:vb switch to download the WSDL and referenced it in my project and I can see methods being exposed once I have done
Dim client As PosterUploadClient = New PosterUploadClient()
Now typing client. brings up all the methods I expect to see and I can pass authentication and see the state change when I do client.open() but what I can't figure out is how to provide the parameters the actual methods need. According to their documentation, RetrieveActiveSupplyChains doesn't need a parameter but they have provided an xml example of the request structure so my assumption is that I'd need to construct this as xml with the appropriate values and send it as "request"?
Does this sound right? I know this is probably meat and veg for a web programmer but not something I have attempted before. The xml they supplied as an example looks like the below:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://rm-manifest.com/2014/01/service/IPosterUpload/RetrieveAllActiveSupplyChains</a:Action>
<a:MessageID>urn:uuid:ab5e32a3-812e-4d91-97a8-de00a08874e9</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://rm-manifest.com/PosterUpload2/PosterUpload.svc/service</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-10-03T14:32:58.480Z</u:Created>
<u:Expires>2014-10-03T14:37:58.480Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-dfaaf0b0-3823-4f75-b607-33f7434295dc-1">
<o:Username>NetworkAccess</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">p1</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<RetrieveAllActiveSupplyChains xmlns="http://rm-manifest.com/2014/01/service">
<request xmlns:b="http://rm-manifest.com/2014/01/messages" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
</RetrieveAllActiveSupplyChains>
</s:Body>
</s:Envelope>
But I'm still not sure how it actually needs to be submitted, certainly if I read that sample one in with a new xmltextreader it doesn't like it with the following error message
Value of type 'System.Xml.XmlTextReader' cannot be converted to 'MM_TEST.Mosaic.EIB.PosterUploadService.Core.Messages.RetrieveActiveSupplyChainsRequest'
My assumption was the WSDL replaces the need to actually create a "New HttpRequest" in my code but not sure. I've done a lot of googling but not getting anything that quite works like this
The WSDL is here if this helps:
https://customertest.rm-manifest.com/PosterUpload/PosterUpload.svc
Just call the method. The provided XML is what is actually sent to the server by the WCF proxy when you call the method. You don't need to use it at all.
If you use a tool like Fiddler, you'll see that simply calling client.RetrieveAllActiveSupplyChains will send an HTTP request with a body similar to the XML sample.
In fact, everything outside the RetrieveAllActiveSupplyChains tag isn't related to the method at all - it's security and addressing data used to establish and execute a connection with a web service in general. All of this is handled by WCF.
I am trying to validate a SAML response which is coming from Siteminder IDP from a third party. I have installed the certificate provided by them. When I call the ValidateToken method (System.IdentityModel.Tokens) to create claims, I get following error :
WIF10201: No valid key mapping found for
securityToken:'System.IdentityModel.Tokens.X509SecurityToken' and
issuer: 'issuer uri'
I dug in deep to find the error and its being thrown by method GetIssuerName (System.IdentityModel.Tokens).
Where is the problem? I googled for this issue but didn't find anything specific to my case. Does the SAML token from my client have a problem or there is something I am missing in implementation. I am fairly new to federated auth so please excuse any inaccuracy with the terminology used.
Gaurav
Ok found the solution but could't quite understand the readon behind it (complete noob, will update the answer when I know more).
Followed this approach of converting the SAML2 response to WSFed response, then on that new token I ran my code, now the error is gone.
http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx
Note : you still have to override the validate token method (which I had originally done) to avoid the following error :
“ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.”
Thanks.
You are probably missing a configuration that maps the issuer name (as specified inside the token) to the certificate (probably specified with a thumbprint). I guess you solve this with some configuration in your web.config. Have a look at p.e. Microsoft validating issuer name registry The page contains some sample configuration. Setting this up correctly depends entirely on your situation.
I wanted to make a note for future reference, since I also ran into this error but my resolution was different. I got the WIF10201 error in a custom MVC application that is using ADFS (3.0) claims-based authentication under Windows Server 2012. In the web.config of the MVC application, the thumbprint of the ADFS token signing key is recorded. It turns out, when the signing certificate is about to expire, ADFS creates a new key. The new key is marked "primary" and the old key is marked as "secondary" in the ADFS console (under AD FS/Service/Certificates). So in my web.config there was, of course, still the thumbprint of the old (secondary) key. As soon as I replaced it with the thumbprint of the new (primary) key, the error disappeared.
I'm trying to get access token of facebook client when a user logged in with asp.net's oauth template. But I couldn't acquire the access token when i tried some methods that i found on internet like;
AuthenticationResult result = OpenAuth.VerifyAuthentication("RegisterExternalLogin.aspx");
string actok = result.ExtraData["accesstoken"];
This try wasn't successfull. How can i acquire the access token?
I see noone has replied to your question even though it has been 10 days so I'll take a stab at it.
You mentioned that you are using asp.net's OAuth template. So I think you are looking at the line
AuthenticationResult result = OpenAuth.VerifyAuthentication("RegisterExternalLogin.aspx");
in the ExternalLoginCallback() action in AccountController.cs
As far as I can tell your syntax is correct. In fact also tested it out myself and it works. I guess you can try another way of accessing the same property
String myaccesstoken_value1 = result.ExtraData.Values.ToArray()[5];
That will give you the same result as result.ExtraData["accesstoken"]
If that does not work either then I would imagine that there is some problem with the authentication itself, rather than with your syntax here. I'm assuming you have VS2012 Express, so use the debugger to see what values are present in your variable 'result'. If it is empty, then it would indicate why you second statement errors out, and it would also indicate that there is a problem in the code before you get to this point.
Also keep in mind during testing that when you log into your app using OAuth providers such as Facebook, even when you log out of the website you continue to remain logged into facebook. You actually have to go to facebook.com and click logout there also (unless you write some additional code in your asp.net app to do a remote logout). I don't know if this applies to your situation, just giving you a heads up.
Please vote if this helps.