Skip to main content

RE: Redirecting Metro STS to ADFS2.0

3 replies [Last post]
Anonymous

As first step that I did is commented out Issuer element from my service wsdl
file(DoubleIt.wsdl). I read this
post(http://metro.1045641.n5.nabble.com/WST0042-Metro-bug-VS-bug-or-loose-pol
icy-td1067521.html). Based on this post, service side configuration about STS
takes priority than client. It is good to specify in service side as well,
but most case service is in another application and client application
doesn't have much control on that. For now, I prefer focus on client side to
make my client point to ADFS2.0.

Now, I can focus on client configuration - wsit-client.xml,
DoubleItSTSService.xml and DoubleIt.xml. I replaced content of these three
files corresponding to ADFS2.0 based ADFS end point and mex url. But Metro
doesn't like tag names from ADFS2.0, plus this replacement is kind of
painful. Is there any way that I can programmatically overwrite these three
configuration files? So, I left all three files as it was originally and
modified my Metro client as follow to see If can do something. But it
completely ignores code that I added to overwrite and still connect to Metro
STS. It seems that wsit-client.xml file is loaded behind the scene. What need
to be done?

//Start of inserted code
String stsEndpoint =
"https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";
String stsMexAddress =
"https://strts01.ams.dev/adfs/services/trust/mex";
//String appliesTo =
"http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";
String appliesTo =
"https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit";
//End of inserted code

DoubleItService service = new DoubleItService();

//Start of inserted code
DefaultSTSIssuedTokenConfiguration stsConfig = new
DefaultSTSIssuedTokenConfiguration(
STSIssuedTokenConfiguration.PROTOCOL_13,
stsEndpoint,
stsMexAddress);

stsConfig.getOtherOptions().put(BindingProvider.USERNAME_PROPERTY,
"GLOBAL\\gchoi");
stsConfig.getOtherOptions().put(BindingProvider.PASSWORD_PROPERTY,
"XXXXXXXX");

IssuedTokenManager manager = IssuedTokenManager.getInstance();
IssuedTokenContext ctx = manager.createIssuedTokenContext(stsConfig,
appliesTo);
//End of inserted code

DoubleItPortType port = service.getDoubleItPort();

System.out.println("STS Name Space+++++++++" +
stsConfig.getSTSNamespace());

doubleIt(port, 10);

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
gchoi

I found Jiandong's old
post(http://metro.1045641.n5.nabble.com/The-way-to-manually-request-the-secur...)
and it helped me moving foward.

There are three ways to set the STS address, mex address,
ordered in priorities:

1. Issuer element in the IssuedToken in the service wsdl.
2. PreConfiguredSTS in the client configuration for the service.
3. Run time configuration with STSIssuedTokenConfiguration injected with
STSIssuedTokenFeature.

I elminated both 1 and 2(commented out PreConfiguredSTS from client
configuration). I got rid of DoubleItSTSService.xml from client. Now I have
DoubleIt.xml and wsit-client.xml only. I also commented out reference to
DoubleItSTSService.xml from wsit-client.xml.

Now my client is sending this RST to ADFS.

https://strts01.ams.dev/adfs/services/trust/13/usernamemixed
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

http://www.w3.org/2005/08/addressing/anonymous

http://www.w3.org/2005/08/addressing/anonymous

uuid:120f7ccd-31c6-4f7e-804b-8b0abe0a59b4

2012-04-23T16:29:09Z
2012-04-23T16:34:09Z

GLOBAL\gchoi

Today0001

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue

http://localhost:8088/doubleit/services/doubleit

urn:oasis:names:tc:SAML:2.0:assertion

http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
128

DtxaFbDjxhva1uj8dLoN0Q==

http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1

ADFS respond me this.

[HTTP response -
https://strts01.ams.dev/adfs/services/trust/13/usernamemixed - 500]---
null: HTTP/1.1 500 Internal Server Error
Content-Length: 969
Content-Type: application/soap+xml; charset=utf-8
Date: Mon, 23 Apr 2012 16:28:42 GMT
Server: Microsoft-HTTPAPI/2.0

http://www.w3.org/2005/08/addressing/soap/fault
uuid:120f7ccd-31c6-4f7e-804b-8b0abe0a59b4


2012-04-23T16:28:42.334Z
2012-04-23T16:33:42.334Z

s:Sender

a:InvalidScope

ID3082: The request scope is not valid or is
unsupported.

Exception in thread "main" javax.xml.ws.WebServiceException:
java.lang.RuntimeException:
com.sun.org.apache.xerces.internal.dom.ElementNSImpl cannot be cast to
com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponseType
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:250)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
at com.sun.xml.ws.client.Stub.process(Stub.java:429)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
at $Proxy40.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:76)
at client.WSClient.main(WSClient.java:69)
Caused by: java.lang.RuntimeException:
com.sun.org.apache.xerces.internal.dom.ElementNSImpl cannot be cast to
com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponseType
at
com.sun.xml.ws.security.trust.impl.wssx.WSTrustElementFactoryImpl.createRSTRCollectionFrom(WSTrustElementFactoryImpl.java:485)
at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.parseRSTR(TrustPluginImpl.java:751)
at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.invokeRST(TrustPluginImpl.java:630)
at
com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:174)
at
com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssuedTokenContext(STSIssuedTokenProviderImpl.java:144)
at
com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(STSIssuedTokenProviderImpl.java:74)
at
com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:83)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClientTube.java:685)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:281)
at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:247)
... 12 more
Caused by: java.lang.ClassCastException:
com.sun.org.apache.xerces.internal.dom.ElementNSImpl cannot be cast to
com.sun.xml.ws.security.trust.impl.wssx.bindings.RequestSecurityTokenResponseType
at
com.sun.xml.ws.security.trust.impl.wssx.elements.RequestSecurityTokenResponseCollectionImpl.(RequestSecurityTokenResponseCollectionImpl.java:102)
at
com.sun.xml.ws.security.trust.impl.wssx.WSTrustElementFactoryImpl.createRSTRCollectionFrom(WSTrustElementFactoryImpl.java:483)
... 21 more

I have this WARNING message.

WARNING: SP0100: Policy assertion
Assertion[com.sun.xml.ws.security.impl.policy.SpnegoContextToken] {
assertion data {
namespace =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'SpnegoContextToken'
value = 'null'
optional = 'false'
ignorable = 'false'
attributes {
name =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702:IncludeToken',
value =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient'
}
}
no parameters
nested policy {
namespace version = 'v1_5'
id = 'null'
name = 'null'
vocabulary {
1. entry =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702:MustNotSendAmend'
2. entry =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702:MustNotSendCancel'
3. entry =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702:MustNotSendRenew'
4. entry =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702:RequireDerivedKeys'
}
assertion set {

Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion]
{
assertion data {
namespace =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'MustNotSendAmend'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}

Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion]
{
assertion data {
namespace =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'MustNotSendCancel'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}

Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion]
{
assertion data {
namespace =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'MustNotSendRenew'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}

Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion]
{
assertion data {
namespace =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'RequireDerivedKeys'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}
}
}
} is not supported under Token assertion.

I need to fix few things.

gchoi

Don't understand two things.

1. SAML token version: I specified SAML2.0 in my wsdl as follow, but my RST
request is SAML1.0. Where does SAML1.0 come from? I want SAML2.0 and my
relying party in ADFS2.0 is specified as 2.0.

urn:oasis:names:tc:SAML:2.0:assertion

2. It seems that ADFS doesn't like namespace =
'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'. How do I get
over this?

gchoi

Here is my new RST to ADFS and following is ADFS log.

Problem1:
Microsoft.IdentityModel.SecurityTokenService.RequestFailedException: ID4007:
The symmetric key inside the requested security token must be encrypted.
What option do I have to encypt symmetric key?

Problem2: Why does soap envlope reference to
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" while body of RST is
referncing urn:oasis:names:tc:SAML:2.0:assertion. Should I ignore whatever
soap envlope says?

https://strts01.ams.dev/adfs/services/trust/13/usernamemixed
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

http://www.w3.org/2005/08/addressing/anonymous

http://www.w3.org/2005/08/addressing/anonymous

uuid:1536987d-68bf-42a1-9e8f-cb987fe8ca1c

2012-04-23T18:25:26Z
2012-04-23T18:30:26Z

xxxxx
xxxx

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue

https://wkengchoi:8443/doubleit/services/doubleit

urn:oasis:names:tc:SAML:2.0:assertion

http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
128

CWFYPocFQtWvdvV6X9nZ6A==

http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1