Skip to main content

Converting Assertion token type

11 replies [Last post]
Anonymous

Hi All,

I have an Assertion token obtained from Web Brower SSO Profile - SP
initiated: Redirect -> POST binding with ADFS2.0. This token is saved in the
memory as xml string. I could have it as Assertion object, but Assertion
object type is came from OpenSAML. I need to pass this Assertion token in
place of the actAsToken in following Metro code. My STS is still ADFS2.0.
How do I convert Assertion token of different type to the Metro Token type?
Is this something possible?

Token actAsToken = getActAsToken();
config.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS,
actAsToken);

The web service that I need to call is .NET and it seems Metro has the best
interpretability with .NET. If I couldn't get this one done, then I am
pretty blocked. Of course, if I can achieve Web Browser SSO Profile with
Metro, then I wouldn't bother with OpenSAML(I have a complete code for this
part though).

Thanks.

Gina

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jdg6688
Offline
Joined: 2005-11-02
Points: 0

1. Yes. You can create an GenericToken with DOM element of the SAML
assertion and set it in .
2. You can't use Metro for Web services. No Passive SSO/federation support.

On 4/19/2012 12:43 PM, gchoi wrote:
> Hi All,
>
> I have an Assertion token obtained from Web Brower SSO Profile - SP
> initiated: Redirect -> POST binding with ADFS2.0. This token is saved in the
> memory as xml string. I could have it as Assertion object, but Assertion
> object type is came from OpenSAML. I need to pass this Assertion token in
> place of the actAsToken in following Metro code. My STS is still ADFS2.0.
> How do I convert Assertion token of different type to the Metro Token type?
> Is this something possible?
>
> Token actAsToken = getActAsToken();
> config.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS,
> actAsToken);
>
> The web service that I need to call is .NET and it seems Metro has the best
> interpretability with .NET. If I couldn't get this one done, then I am
> pretty blocked. Of course, if I can achieve Web Browser SSO Profile with
> Metro, then I wouldn't bother with OpenSAML(I have a complete code for this
> part though).
>
> Thanks.
>
> Gina
>

jdg6688
Offline
Joined: 2005-11-02
Points: 0

On 4/19/2012 3:06 PM, Jiandong Guo wrote:
> 1. Yes. You can create an GenericToken with DOM element of the SAML
> assertion and set it in
as actAsToken .
> 2. You can't use Metro for Web services. No Passive SSO/federation
> support.
I mean "You can only use"
>
>
>
> On 4/19/2012 12:43 PM, gchoi wrote:
>> Hi All,
>>
>> I have an Assertion token obtained from Web Brower SSO Profile - SP
>> initiated: Redirect -> POST binding with ADFS2.0. This token is
>> saved in the
>> memory as xml string. I could have it as Assertion object, but Assertion
>> object type is came from OpenSAML. I need to pass this Assertion
>> token in
>> place of the actAsToken in following Metro code. My STS is still
>> ADFS2.0.
>> How do I convert Assertion token of different type to the Metro Token
>> type?
>> Is this something possible?
>>
>> Token actAsToken = getActAsToken();
>>
>> config.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS,
>> actAsToken);
>>
>> The web service that I need to call is .NET and it seems Metro has
>> the best
>> interpretability with .NET. If I couldn't get this one done, then I am
>> pretty blocked. Of course, if I can achieve Web Browser SSO Profile with
>> Metro, then I wouldn't bother with OpenSAML(I have a complete code
>> for this
>> part though).
>>
>> Thanks.
>>
>> Gina
>>

Gina Choi

Hi Jiandong,

> 1. Yes. You can create an GenericToken with DOM element of the SAML
> assertion and set it in as actAsToken.

I try to use following code to inject actAsToken, but I am getting
exceptions. Please see bellow. Assertion is an object of OpenSAML and
assertion.getDom returns org.w3c.dom.Element.

Token actAsToken = new GenericToken(assertion.getDOM())

stsConfig.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS,
actAsToken);
STSIssuedTokenFeature feature = new STSIssuedTokenFeature(stsConfig);

I thought that this is because of implementation of Element in OpenSAML used
org.apache.xerces.dom.ElementNSImpl. So, I tried following code. I converted
Assertion object to XML String and I got org.w3c.dom.Element from the XML
String, but result is the same. How do I get this work?

TransformerFactory transFactory =
TransformerFactory.newInstance();
Transformer transformer =
transFactory.newTransformer();
StringWriter buffer = new StringWriter();

transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
"yes");
transformer.transform(new
DOMSource(assertion.getDOM()),
new StreamResult(buffer));
String assertionStr = buffer.toString();
System.out.println("Assertion string:" +
assertionStr);
element = DocumentBuilderFactory
.newInstance()
.newDocumentBuilder()
.parse(new
ByteArrayInputStream(assertionStr.getBytes())).getDocumentElement();

Exception in thread "main" javax.xml.ws.WebServiceException:
java.lang.RuntimeException: org.apache.xerces.dom.ElementNSImpl cannot be
cast to
com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponse
Type
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTu
be.java:250)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
at com.sun.xml.ws.client.Stub.process(Stub.java:429)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119
)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102
)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
at $Proxy40.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:92)
at client.WSClient.main(WSClient.java:85)
Caused by: java.lang.RuntimeException: org.apache.xerces.dom.ElementNSImpl
cannot be cast to
com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponse
Type
at
com.sun.xml.ws.security.trust.impl.wssx.WSTrustElementFactoryImpl.createRSTRC
ollectionFrom(WSTrustElementFactoryImpl.java:485)
at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.parseRSTR(TrustPluginImpl.
java:751)
at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.
java:630)
at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.ja
va:174)
at
com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssue
dTokenContext(STSIssuedTokenProviderImpl.java:144)
at
com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(ST
SIssuedTokenProviderImpl.java:74)
at
com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(Is
suedTokenManager.java:83)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClien
tTube.java:685)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Secu
rityClientTube.java:281)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTu
be.java:247)
... 12 more
Caused by: java.lang.ClassCastException: org.apache.xerces.dom.ElementNSImpl
cannot be cast to
com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponse
Type
at
com.sun.xml.ws.security.trust.impl.wssx.elements.RequestSecurityTokenResponse
CollectionImpl.(RequestSecurityTokenResponseCollectionImpl.java:102)
at
com.sun.xml.ws.security.trust.impl.wssx.WSTrustElementFactoryImpl.createRSTRC
ollectionFrom(WSTrustElementFactoryImpl.java:483)
... 21 more

jdg6688
Offline
Joined: 2005-11-02
Points: 0

Look like you get back the response. But is is an RSTR instead of RSTRC
as expected.
Can you print out the messages?
What STS is this?

On 5/1/2012 1:07 PM, Gina Choi wrote:
> Hi Jiandong,
>
>> 1. Yes. You can create an GenericToken with DOM element of the SAML
>> assertion and set it in as actAsToken.
>
> I try to use following code to inject actAsToken, but I am getting
> exceptions. Please see bellow. Assertion is an object of OpenSAML and
> assertion.getDom returns org.w3c.dom.Element.
>
> Token actAsToken = new GenericToken(assertion.getDOM())
>
> stsConfig.getOtherOptions().put(STSIssuedTokenConfiguration.ACT_AS,
> actAsToken);
> STSIssuedTokenFeature feature = new STSIssuedTokenFeature(stsConfig);
>
>
> I thought that this is because of implementation of Element in OpenSAML used
> org.apache.xerces.dom.ElementNSImpl. So, I tried following code. I converted
> Assertion object to XML String and I got org.w3c.dom.Element from the XML
> String, but result is the same. How do I get this work?
>
> TransformerFactory transFactory =
> TransformerFactory.newInstance();
> Transformer transformer =
> transFactory.newTransformer();
> StringWriter buffer = new StringWriter();
>
> transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
> "yes");
> transformer.transform(new
> DOMSource(assertion.getDOM()),
> new StreamResult(buffer));
> String assertionStr = buffer.toString();
> System.out.println("Assertion string:" +
> assertionStr);
> element = DocumentBuilderFactory
> .newInstance()
> .newDocumentBuilder()
> .parse(new
> ByteArrayInputStream(assertionStr.getBytes())).getDocumentElement();
>
>
>
> Exception in thread "main" javax.xml.ws.WebServiceException:
> java.lang.RuntimeException: org.apache.xerces.dom.ElementNSImpl cannot be
> cast to
> com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponse
> Type
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTu
> be.java:250)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
> at com.sun.xml.ws.client.Stub.process(Stub.java:429)
> at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119
> )
> at
> com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102
> )
> at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
> at $Proxy40.doubleIt(Unknown Source)
> at client.WSClient.doubleIt(WSClient.java:92)
> at client.WSClient.main(WSClient.java:85)
> Caused by: java.lang.RuntimeException: org.apache.xerces.dom.ElementNSImpl
> cannot be cast to
> com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponse
> Type
> at
> com.sun.xml.ws.security.trust.impl.wssx.WSTrustElementFactoryImpl.createRSTRC
> ollectionFrom(WSTrustElementFactoryImpl.java:485)
> at
> com.sun.xml.ws.security.trust.impl.TrustPluginImpl.parseRSTR(TrustPluginImpl.
> java:751)
> at
> com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.
> java:630)
> at
> com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.ja
> va:174)
> at
> com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssue
> dTokenContext(STSIssuedTokenProviderImpl.java:144)
> at
> com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(ST
> SIssuedTokenProviderImpl.java:74)
> at
> com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(Is
> suedTokenManager.java:83)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClien
> tTube.java:685)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(Secu
> rityClientTube.java:281)
> at
> com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTu
> be.java:247)
> ... 12 more
> Caused by: java.lang.ClassCastException: org.apache.xerces.dom.ElementNSImpl
> cannot be cast to
> com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponse
> Type
> at
> com.sun.xml.ws.security.trust.impl.wssx.elements.RequestSecurityTokenResponse
> CollectionImpl.(RequestSecurityTokenResponseCollectionImpl.java:102)
> at
> com.sun.xml.ws.security.trust.impl.wssx.WSTrustElementFactoryImpl.createRSTRC
> ollectionFrom(WSTrustElementFactoryImpl.java:483)
> ... 21 more
>
>

Gina Choi

Hi Jiandong,

>Look like you get back the response. But is is an RSTR instead of RSTRC
>as expected.Can you print out the messages? What STS is this?

Following is message print out. My STS is ADFS2.0. ADFS is returned
"MSIS3127: The specified request failed.", but I don't see error messages
from ADFS2.0 side. It looks like that ADFS2.0 doesn't like that RST that I
sent.

I didn't get about "But is is an RSTR instead of RSTRC as expected". Metro is
expecting RSTR, but you saying ADFS2.0 returned RSTRC?

} is not supported under Token assertion.

jdg6688
Offline
Joined: 2005-11-02
Points: 0

You need to dig into ADFS 2.0 to find out what is wrong. Maybe the
signature on the SAML assertiojn is not verified or the RP trust is not
properly configured.

On 5/1/2012 1:44 PM, Gina Choi wrote:
> MSIS3127: The
> specified request
> failed.

Gina Choi

Hi Jiandong,

>The Federation Service encountered an error while processing the WS-Trust
request.
>Request type: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

I have two ADFS2.0. I was testing around both and forgot to check ADFS2.0
that I am connecting to. That's why I didn't see any error logs from ADFS2.0.
Now I run it again and I am seeing following error message which is very
familiar to me.

Please take a look
http://social.msdn.microsoft.com/Forums/zh/Geneva/thread/adb0eca4-d466-4...
756-1a12fc3b6e52. Jesper Hvid reported as a bug and here is his description.
Metro bug link. http://java.net/jira/browse/METRO-16. This bug is still open.

Gina Choi

Hi Jiandong,

I am not sure if my problem is same as METRO-16. When I compare digest value
in the SAML assertion from ADFS and RST from Metro and they look the same.
Anything else that I need to check?

idGcvKu0vl3qrKS8dZ58EzhpNPo=
idGcvKu0vl3qrKS8dZ58EzhpNPo=

jdg6688
Offline
Joined: 2005-11-02
Points: 0

Does assertion.toDOM() in OpenSAML change it?

On 5/1/2012 3:26 PM, Gina Choi wrote:
> Hi Jiandong,
>
> I am not sure if my problem is same as METRO-16. When I compare digest value
> in the SAML assertion from ADFS and RST from Metro and they look the same.
> Anything else that I need to check?
>
> idGcvKu0vl3qrKS8dZ58EzhpNPo=
> idGcvKu0vl3qrKS8dZ58EzhpNPo=
>
>

Gina Choi

Hi Jiandong,

I did notice that in Metro RST, the assertion token is started with
instead of ? If doc is Assertion element in
the following signing code, doesn't it affect digest value considering we
only take out Signature element from Assertion token?

DOMSignContext dsc = new DOMSignContext
(keyEntry.getPrivateKey(),
doc.getDocumentElement());
XMLSignature signature =
fac.newXMLSignature(signedInfo, ki);
// Marshal, generate, and sign the enveloped
signature.
signature.sign(dsc);

I try to find ADFS keystore file to calculate digest value.

Gina

Gina Choi

Jiandong,

I did three tests to compare digest value.

1. From assertion.toDOM(), I took out Signature part and the calculated
digest value is:
eZzhiND7USrll249hqbsa4bsD3c=

2. I took Assertion part from Metro's RST and took out Signature part. The
calculated digest value is:
qqNfHhkHjBzE66+3q6CbFvHUa/c=

3. I removed extra Assertion(changed to
from Metro's RST and removed Signature part. The calculated digest value is:
eZzhiND7USrll249hqbsa4bsD3c=

So, it looks like that extra Assertion does change digest value. I haven't
tested either assertion.toDOM() or metro remove spaces. I am going to do that
tomorrow.

Thanks.

Gina