I have looked all over the web and cannot find the solution to this. I am developing an ASP.NET application that needs to consume a PeopleSoft web service. It was working fine until they applied security to the service. It's not a .NET service, so I cannot pass in credentials in the typical .NET way usnig System.Net.NetworkCredential. The PS developers told me I have to pass the credentials in the SOAP header. I see no specific way to do that anywhere. Here's the snippet from the PeopleSoft WSDL:
<wsdl:binding name="PROCESSREQUEST_Binding" type="tns:PROCESSREQUEST_PortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
- <wsdl:operation name="PRCS_FINDREQUESTS">
<soap:operation soapAction="PRQ_FINDREQUESTS.v1" style="document" />
- <wsp:Policy wsu:Id="UsernameTokenSecurityPolicyPasswordRequired" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
- <wsp:ExactlyOne>
- <wsp:All>
- <wsse:SecurityToken wsp:Usage="wsp:Required" xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:TokenType>wsse:UserNameToken</wsse:TokenType>
- <Claims>
<SubjectName MatchType="wsse:Exact" />
<UsePassword wsp:Usage="wsp:Required" />
</Claims>
</wsse:SecurityToken>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
How would I pass credentials using C#?
Here's the soap header I use when testing my web services having Username security activated with jMeter :
<soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>myUserName</wsse:Username>
<wsse:Password>myPassWord</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
It should do the work in C#
Related
I configured the logout endpoint (URL) in the relying party trust as:
https:\abstractmachine.domain.local/adfs/ls/?wa=wsignout1.0
With POST binding
I also changed the default SingleLogoutService node value in the federation metadata from its default to the same link as the end point URL configured at ADFS. Without renaming it was giving error while sending the logout request.
Now, after configuration, the ADFS does say it logged out successfully and displays its logout page but users can still login without having to provide creadentials and it seems that the previous creadentails are still being cached.
Also, it is not redirecting to the response URL (I have set the response URL as:)
https:\abstractmachine.domain.local/webapp/logout.aspx
SAML logout not working in ADFS 2.0
I configured the logout endpoint (URL) in the relying party trust as:
https:\abstractmachine.domain.local/adfs/ls/?wa=wsignout1.0
With POST binding
I also changed the default SingleLogoutService node value in the federation metadata from its default to https//abstractmachine.domain.local/adfs/ls/?wa=wsignout1.0. Without renaming it was giving error while sending the logout request.
Now, after configuration, the ADFS does say it logged out successfully and displays its logout page but users can still login without having to provide credentials and it seems that the previous credentials are still being cached.
Am i missing some settings or is there any other method for logging out of ADFS with SAML request?
Also, it is not redirecting to the response URL after logout
The logout request that I am using is as below:
<?xml version="1.0" encoding="UTF-8"?> <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_a8b394ff-a850-484d-91a1-2daeeeb35b52" Version="2.0" IssueInstant="2016-07-04T13:19:02.582Z" Destination="https://nsv-adfsbal.dristi.local/adfs_app/IdPLogOutResponse.aspx" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" NotOnOrAfter="2016-07-04T13:24:02.582Z"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://nsv-adfsbal.dristi.local/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_a8b394ff-a850-484d-91a1-2daeeeb35b52">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>knf74cRA51WBnpL3ZvPolhWHY90=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>c7VpbqOi0iRaRjfP8EUrS1GS0ne8MA4uW26GA62b5YwHlIHjC91fTfv4r/IuXONs7ny3J8c/If+jKK3dpttesmYmv1kq3p16o5IxlAEwoZKrBDsaWu+JxZ6xZV1dQ2y+vvPL1cCUwa9FobUXwx5SYx29SHJbHhwe81u5fCCwBa2TPj9gbzekJoKy3JeayCzfw8Bl7CPMfM/aDNgNyOpjZ+Lwvm7mk4ejvwbOSFsFBYToVMnWmeZGkwbnyYvuLrywdxxLN1R0JB/St4mbOpki9As4ndIwiNKUF311NM13QNzCAiI3rvf25EyJf2dOujqxtW7UMat5Yju22IgCBOKbxA==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7DCCAdSgAwIBAgIQPm2vN8ge2IxCDYSffnDWbjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDEydBREZTIFNpZ25pbmcgLSBuc3YtYWRmc2JhbC5kcmlzdGkubG9jYWwwHhcNMTUxMTI2MDYxMTQxWhcNMTYxMTI1MDYxMTQxWjAyMTAwLgYDVQQDEydBREZTIFNpZ25pbmcgLSBuc3YtYWRmc2JhbC5kcmlzdGkubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeezsC3zzG3CqW7fOSEC/qcnwAaK/UFn1OwMlATGujg4d5veYQAxq9U6c1mZ1v6vSzqg2i7a+/3wop7pk8pwHkqOmepM4mxgwrVMA8PqVrYEDDoWXv4EP1YCpEF2WZl2Oc2P0ttLHVIdtk4ItWoMk5Ag65uR1FkMC0DrdA4jeo5YQLo+sEyu8NBiUdKsdNdTXVSOT68dG3P8CG1gTsq8Mr+B0QHH+2e96DopuE59k13DrPw1YNKOk1MISRydYEItRWRHSCZp5RpC7ATf8b95fR9W9OtjC2vPHD1IFJYf8EiUB15ei94AMb5ImAE2DqGh8WGD9MeVUnSFHCX4XNq85ZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAARUaNFCRal6Mctt4++P2jX77U8lXby7Bk3HmPi8GmTIZyP+dkOL4F/SZ0EC1TGhfaTpQKT3sTRYnCYsQiVzozaQp0eQGs4mlRAqqF6OHnB8ndDYPDE85XSYP4K2FDI/bzP2v2aowGHuZfyONvzgPF5NNtSl7ECo6DPEpSQ15DhTxfkC/YvJteiBhvY+2ij2+2fisl1i8GYzv/E8WnBvF4tJ9rI0EXC4GJ3Az2X+TgJF60Gqf+V2Jqc2KEqLqtG9nLQ1QU5uqS30lsz6m8LrSQkKvUi+RtSlg+rxA+D6hXGMwqfVQbR6yTrYLoyV5Z1zKmS0VXHXellq0Ltmejf6spg=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo> </ds:Signature> <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">user.name#user.local</NameID> <samlp:SessionIndex>_7235ddb0-9fca-4545-9c57-aecdfa4b8eb2</samlp:SessionIndex> </samlp:LogoutRequest>
I am building an application that authenticates users with SAMLv2. After successful authentication by the Identity Provider, response is returned to browser which is then sent to target server.
Trimmed response looks like follows:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#uuid-73c06e86-88d2-4204-91f4-3d484bc782cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>H9ffPJ6/jq25p13BcziR0hNLkGg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FegjeGwQO..J7hpJEQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate><!-- certificate data --></ds:X509Certificate>
</ds:X509Data>
<!-- more certificates -->
</ds:KeyInfo>
</ds:Signature>
I have sequence of X509 certificates <ds:DigestValue /> and <ds:SignatureValue />. What do those two fields contains and how should I validate whether response is returned by valid server?
The signatures are standard XML signatures. This validation can for example be done in java using OpenSAML. Here is a blogpost showing how.
The "validity" or trust of the IDP is something you have to determine in your pplication. If the signature validates then it means that the SAML message was sent from a the IDP with the corresponding private key. Then you must decide if you trust that IDP.
Greeting everyone, I try to configure simple authorization code flow via Spring Security OAuth.
I tested my authorisation and resource server configuration via following approaches:
Create a web application as client and use its page to fire http post call to /oauth/authorize.
After getting code, I use the same page to
fire another http post with code and get token.
At the end, I use
curl -H to place token inside header and get response from protected
resource.
But when I try to use rest template. It throw error message 401 Unauthorised error.
Server side - security configure:
<http auto-config="true" pattern="/protected/**"
authentication-manager-ref="authenticationManager">
<custom-filter ref="resourceFilter" before="PRE_AUTH_FILTER" />
<csrf disabled="true" />
</http>
<http auto-config="true">
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login default-target-url="/admin.html" />
<logout logout-success-url="/welcome.html" logout-url="/logout"/>
<csrf disabled="true" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="123456" authorities="ROLE_USER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
Server side - authorisation and resource configure:
<oauth:authorization-server
client-details-service-ref="clientDetails" error-page="error">
<oauth:authorization-code />
</oauth:authorization-server>
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="admin" secret="fooSecret" />
</oauth:client-details-service>
<oauth:resource-server id="resourceFilter" />
Client Side:
<oauth:client id="oauth2ClientContextFilter" />
<oauth:resource id="sso" client-id="admin"
access-token-uri="http://localhost:8080/tough/oauth/token"
user-authorization-uri="http://localhost:8080/tough/oauth/authorize"
use-current-uri="true" client-secret="secret"
client-authentication-scheme="header" type="authorization_code"
scope="trust" />
<oauth:rest-template id="template" resource="sso"/>
If anyone knows where goes wrong, please do let me know.
There were two issues with my configuration above.
I noticed my client used wrong secret to communicate with authorization server.
Token endpoint at authorization server use authentication manager which
serve user authentication. It result
client are rejected all times until I create new security realm for
token endpoint and configure it to use a authentication manger designed for
client.
Note client is different from user. Client is third party want to access resource belong to your user (also called resource owner).
I had the same problem. It helped to add a
org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService
to spring securities authentication-manager, glueing the clientDetailsService to the authentication manager. So
<authentication-manager alias="authenticationManager">
...
<authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
...
</authentication-manager>
nearly solved the problem for me. I had one more Issue: Since ClientDetailsUserDetailsService has no default constructor, spring threw Exceptions of the form
org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class
[class org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService]:
Common causes of this problem include using a final class or a non-visible class;
nested exception is java.lang.IllegalArgumentException: Superclass has no null constructors but no arguments were given
Which I could not solve without using a copy of that class receiving the clientDetailsService as property instead of a constructor arg.
How to manipulate session in spring mvc . I have searched in the network and I found that Spring MVCcould be the solution. But the problem is I can only pass two parameters of authentification (the username and the password)
<user-service>
<user name="user" password="123456" authorities="ROLE_USER" />
</user-service>`
and in my case I must pass three parameters.I would be so grateful if I found the solution in this forum.
I'm trying to consume a third party webservice (from the Component Interface in Peoplesoft), but in order to authenticate I have to have a header that looks like this:
<soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>X</wsse:Username>
<wsse:Password>X</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
I added a block to the web.config file in my app that's trying to use the webservice as follows:
<system.serviceModel>
<client>
<header>
<endpoint>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>X</wsse:Username>
<wsse:Password>X</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</endpoint>
</header>
</client>
</system.serviceModel>
But the header still doesn't appear in the XML request to the webservice.
Am I even on the right track?
If you're using .NET 2.0 to connect to the service, your best bet is to download WSE 3.0 (WSE 2.0 if you're using .NET 1.1).
If you're using WCF to connect to the service, here's a link that should help you along your way. It's about the proper way to implement the WS-Security standard in WCF:
Enterprise .NET Community: Security your WCF Services
Look at this link : http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/03db0772-b319-468c-9298-0ec301dacf34
I never though WCF will not allow a simple username token on http