Skip to main content

Re: Digest verification failure for STR-Transform with Metro and .NET

Please note these forums are being decommissioned and use the new and improved forums at
5 replies [Last post]

You will have to modify Metro source and do a full build of the framework.
Don't forget to install and use proper libraries of the Metro once you do.

WARNING: you will not be conformant with SAML Token Profile 1.1 !!!, which
will result in messages rejected by the other Metro distributions which did
not have this .NET compatibility "fix".

You will need to add to your policy (whether on your service or WSDL
accessible through jax-ws-catalog.xml ) requirement to encrypt your SAML

..... (more signed parts here )....

Now the changes:

Line 149 add:
if(PolicyUtil.isIssuedToken((PolicyAssertion) token, spVersion)
this instanceof SignedSupportingTokensProcessor){
System.out.println("HERE HERE HERE STRID is null now !!!");

Line 156 add:

if( ! (PolicyUtil.isIssuedToken((PolicyAssertion) token,
spVersion) &&
this instanceof SignedSupportingTokensProcessor) ){
System.out.println("Skipping addToPrimarySignature");

encryptToken(token, spVersion);

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Feel free to leave out System.out.println statements, of course :-)
They are an example of bad style debugging :-)

Plus, this is not by any means an "official" version of disabling STR
transform sanctioned by Metro development team...

As a suggestion - it would be nice to have a switch on the client side to be
able to disable STR transform completely if necessary.


Hi ss400,

Thanks in advanced for your help. I tried those snipets codes under Metro
2.1 But I still get the digest error when trying to interop. Which version
of Version you did your build under? Do you have any further information
about what other changes I can try in order to achieve this interop test.

This is what I've tried:
Inside the process method:

while (tokens.hasNext()) {
Token token = (Token);
SecurityPolicyVersion spVersion =
SecurityPolicyUtil.getSPVersion((PolicyAssertion) token);
WSSPolicy policy = tokenProcessor.getWSSToken(token);
if (this instanceof EndorsingSupportingTokensProcessor) {
if (PolicyUtil.isUsernameToken((PolicyAssertion) token,
spVersion)) {
AuthenticationTokenPolicy.UsernameTokenBinding utb =
if (PolicyUtil.isIssuedToken((PolicyAssertion) token, spVersion)
&& this instanceof EndorsingSupportingTokensProcessor) {
((IssuedTokenKeyBinding) policy).setSTRID(null);
System.out.println("Policy: " +
PolicyUtil.isIssuedToken((PolicyAssertion) token, spVersion));
System.out.println("Token: " + token);
System.out.println("SP Version: " + spVersion);
//TODO: We add this in line 149
if (PolicyUtil.isIssuedToken((PolicyAssertion) token, spVersion)
&& this instanceof SignedSupportingTokensProcessor) {
//When executing the process, this IF is never executed
((IssuedTokenKeyBinding) policy).setSTRID(null);
System.out.println("Setting the STRID to NULL");
//TODO: This is what we add in line 156
if (!(PolicyUtil.isIssuedToken((PolicyAssertion) token,
&& this instanceof SignedSupportingTokensProcessor)) {
//We're entering to this if
System.out.println("Add primary signature");
addToPrimarySignature(policy, token);
} else {
System.out.println("Skipping addToPrimarySignature");
encryptToken(token, spVersion);
if (policy.getUUID() != null) {

addToPrimarySignature(policy, token);

encryptToken(token, spVersion);

if (PolicyUtil.isSamlToken((PolicyAssertion) token,
spVersion)) {

if (buildEP) {
EncryptionPolicy ep = new EncryptionPolicy();

//TODO:: Add token to MessagePolicy;
if (!(this instanceof EndorsingSupportingTokensProcessor)
|| (this instanceof EndorsingSupportingTokensProcessor
&& token instanceof X509Token && token.getIncludeToken().endsWith("Never")))
AuthenticationTokenPolicy atp = new
//TODO: Take care of targets.

Thanks again for your support.


Check your pom.xml for Metro, for example:

Now, if you are using maven make sure you specify in your client
dependencies proper version that you modified and just compiled:

Also, when you run maven you must do "maven install" so jars become
available in your repository.

Now, when you check all of the above - run a wireshark to get a capture and
post it here :-)

(did you modify the local version of the remote .NET policy )?

Post the policies so we can compare notes...


Hi, I tried all things you told me.

*Only difference is the following:*

- The metro version, we use: 2.1.1
- You use this version: 2.1.1-b09

Ok, here is the *"createSequence" capture:*

Here are our policies:

*My Question:*

What you mean with this:
(did you modify the local version of the remote .NET policy )?

Is it something we need to modify in .NET WS? Please tell us.

Thank you for your contributions, we will wait for you.


I forgot something:

At this point:

if (PolicyUtil.isIssuedToken((PolicyAssertion) token, spVersion)
&& this instanceof SignedSupportingTokensProcessor) {
//When executing the process, this IF is never executed
((IssuedTokenKeyBinding) policy).setSTRID(null);
System.out.println("Setting the STRID to NULL");

this *"PolicyUtil.isIssuedToken((PolicyAssertion) token, spVersion)"* is
returning us "*false*". Do you know any idea what this is happening?

Thanks in advance.