Skip to main content

Metro Client with ADFS STS

39 replies [Last post]
jebricker
Offline
Joined: 2009-05-18

I'm trying to figure out how to gets a SAML token from ADFS STS. so I have several questions on this. I can not figure out which class are needed just to ask for a SAML token. Any example of code for just asking a STS for a SAML token would be very very helpful.

I have the cert from the STS and imported it into by Glassfish truststore. Is that all that is needed or must I specify the cert?

I was trying to set up the SecureCalculator example to point to ADFS STS rather than Glassfish. What do I need to modify to point the client to the Securitytoken service and the correct endpoint.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kamathg
Offline
Joined: 2005-08-04

Hi,

I am working on how to authenticate (SSO) using SAML token. I am using ADFS for federation and authentication. Please send me the code or sample for connecting to ADFS using WS-Trust / metro services.

Thank you.

Kamath

jdg6688
Offline
Joined: 2005-11-02

Look like you already passed through the STS and the
error is on the service side when process the request
from the client.

Can you send me the log of the messages on the client side?

You may enable logging by setting
com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true system property.

I suspect that


is causing problem since the Timestamp should be signed automatically. Not sure why it is set up there in the wsdl.

> Regarding the .NET error, I turned on WCF tracing and
> noticed the following:
>
>
> System.ServiceModel.Security.MessageSec
> urityException, System.ServiceModel, Version=4.0.0.0,
> Culture=neutral,
> PublicKeyToken=b77a5c561934e089

> Message security verification
> failed.

>
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessage(Message& message, TimeSpan
> timeout)
> at
> System.ServiceModel.Security.SecurityProtocol.VerifyIn
> comingMessage(Message& message, TimeSpan timeout,
> SecurityProtocolCorrelationState[]
> correlationStates)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1
> .ServerSecurityChannel`1.VerifyIncomingMessage(Message
> & message, TimeSpan timeout,
> SecurityProtocolCorrelationState[] correlationState)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1
> .SecurityReplyChannel.ProcessReceivedRequest(RequestCo
> ntext requestContext, TimeSpan timeout)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1
> .ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerRece
> iveDone()
> at
> System.ServiceModel.Channels.SecurityChannelListener`1
> .ReceiveItemAndVerifySecurityAsyncResult`2.Start()
> at
> System.Runtime.ActionItem.DefaultActionItem.Invoke()
> at
> System.Runtime.ActionItem.CallbackHelper.InvokeWithout
> Context(Object state)
> at
> System.Runtime.IOThreadScheduler.ScheduledOverlapped.I
> OCallback(UInt32 errorCode, UInt32 numBytes,
> NativeOverlapped* nativeOverlapped)
> at
> System.Runtime.Fx.IOCompletionThunk.UnhandledException
> Frame(UInt32 error, UInt32 bytesRead,
> NativeOverlapped* nativeOverlapped)
> at
> System.Threading._IOCompletionCallback.PerformIOComple
> tionCallback(UInt32 errorCode, UInt32 numBytes,
> NativeOverlapped* pOVERLAP)
>

> System.ServiceModel.Security.MessageS
> ecurityException: Message security verification
> failed. --->
> System.Security.Cryptography.CryptographicException:
> Unable to resolve the '#_1' URI in the signature to
> compute the digest.
> at
> System.IdentityModel.StandardSignedInfo.EnsureAllRefer
> encesVerified()
> at
> System.ServiceModel.Security.WSSecurityOneDotZeroRecei
> veSecurityHeader.VerifySignature(SignedXml signedXml,
> Boolean isPrimarySignature,
> SecurityHeaderTokenResolver resolver, Object
> signatureTarget, String id)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Pro
> cessSupportingSignature(SignedXml signedXml, Boolean
> isFromDecryptedSource)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Exe
> cuteFullPass(XmlDictionaryReader reader)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Pro
> cess(TimeSpan timeout, ChannelBinding channelBinding,
> ExtendedProtectionPolicy extendedProtectionPolicy)
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessageCore(Message& message,
> TimeSpan timeout)
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessage(Message& message, TimeSpan
> timeout)
> --- End of inner exception stack trace
> ---

> InnerException>
> System.Security.Cryptography.Cryptograp
> hicException, mscorlib, Version=4.0.0.0,
> Culture=neutral,
> PublicKeyToken=b77a5c561934e089

> Unable to resolve the '#_1' URI in the
> signature to compute the digest.

>
> at
> System.IdentityModel.StandardSignedInfo.EnsureAllRefer
> encesVerified()
> at
> System.ServiceModel.Security.WSSecurityOneDotZeroRecei
> veSecurityHeader.VerifySignature(SignedXml signedXml,
> Boolean isPrimarySignature,
> SecurityHeaderTokenResolver resolver, Object
> signatureTarget, String id)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Pro
> cessSupportingSignature(SignedXml signedXml, Boolean
> isFromDecryptedSource)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Exe
> cuteFullPass(XmlDictionaryReader reader)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Pro
> cess(TimeSpan timeout, ChannelBinding channelBinding,
> ExtendedProtectionPolicy extendedProtectionPolicy)
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessageCore(Message& message,
> TimeSpan timeout)
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessage(Message& message, TimeSpan
> timeout)
>

> System.Security.Cryptography.Cryptogr
> aphicException: Unable to resolve the '#_1' URI in
> the signature to compute the digest.
> at
> System.IdentityModel.StandardSignedInfo.EnsureAllRefer
> encesVerified()
> at
> System.ServiceModel.Security.WSSecurityOneDotZeroRecei
> veSecurityHeader.VerifySignature(SignedXml signedXml,
> Boolean isPrimarySignature,
> SecurityHeaderTokenResolver resolver, Object
> signatureTarget, String id)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Pro
> cessSupportingSignature(SignedXml signedXml, Boolean
> isFromDecryptedSource)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Exe
> cuteFullPass(XmlDictionaryReader reader)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.Pro
> cess(TimeSpan timeout, ChannelBinding channelBinding,
> ExtendedProtectionPolicy extendedProtectionPolicy)
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessageCore(Message& message,
> TimeSpan timeout)
> at
> System.ServiceModel.Security.TransportSecurityProtocol
> .VerifyIncomingMessage(Message& message, TimeSpan
> timeout)

>
>

>
>
> I also noticed some posts by you from 2008 where you
> mentioned there was a bug in WCF and to set
> establishsecuritycontext="false" in the web.config
> file. This threw a different type of exception:
>
>
> System.ServiceModel.FaultException,
> System.ServiceModel, Version=4.0.0.0,
> Culture=neutral,
> PublicKeyToken=b77a5c561934e089

> The message with Action
> 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/
> SCT' cannot be processed at the receiver, due to a
> ContractFilter mismatch at the EndpointDispatcher.
> This may be because of either a contract mismatch
> (mismatched Actions between sender and receiver) or a
> binding/security mismatch between the sender and the
> receiver. Check that sender and receiver have the
> same contract and the same binding (including
> security requirements, e.g. Message, Transport,
> None).

>
> at
> System.ServiceModel.Dispatcher.ErrorBehavior.ThrowAndC
> atch(Exception e, Message message)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.ReplyFai
> lure(RequestContext request, Message fault, String
> action, String reason, FaultCode code)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.ReplyFai
> lure(RequestContext request, FaultCode code, String
> reason, String action)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.ReplyCon
> tractFilterDidNotMatch(RequestContext request)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.EnsureCh
> annelAndEndpoint(RequestContext request)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.TryRetri
> evingInstanceContext(RequestContext request)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.HandleRe
> quest(RequestContext request, OperationContext
> currentOperationContext)
> at
> System.ServiceModel.Dispatcher.ChannelHandler.AsyncMes
> sagePump(IAsyncResult result)
> at
> System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(I
> AsyncResult result)
> at System.Runtime.AsyncResult.Complete(Boolean
> completedSynchronously)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1
> .ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryRec
> eiveCompletedCallback(IAsyncResult result)
> at
> System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(I
> AsyncResult result)
> at
> System.ServiceModel.Diagnostics.TraceUtility.<>c
> __DisplayClass4.<CallbackGenerator>b__2(AsyncCal
> lback callback, IAsyncResult result)
> at System.Runtime.AsyncResult.Complete(Boolean
> completedSynchronously)
> at
> System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item
> item)
> at
> System.Runtime.InputQueue`1.EnqueueAndDispatch(Item
> item, Boolean canDispatchOnThisThread)
> at System.Runtime.InputQueue`1.EnqueueAndDispatch(T
> item, Action dequeuedCallback, Boolean
> canDispatchOnThisThread)
> at
> System.ServiceModel.Channels.SingletonChannelAcceptor`
> 3.Enqueue(QueueItemType item, Action
> dequeuedCallback, Boolean canDispatchOnThisThread)
> at
> System.ServiceModel.Channels.HttpChannelListener.HttpC
> ontextReceived(HttpRequestContext context, Action
> callback)
> at
> System.ServiceModel.Activation.HostedHttpTransportMana
> ger.HttpContextReceived(HostedHttpRequestAsyncResult
> result)
> at
> System.ServiceModel.Activation.HostedHttpRequestAsyncR
> esult.HandleRequest()
> at
> System.ServiceModel.Activation.HostedHttpRequestAsyncR
> esult.BeginRequest()
> at
> System.ServiceModel.Activation.HostedHttpRequestAsyncR
> esult.OnBeginRequest(Object state)
> at
> System.Runtime.IOThreadScheduler.ScheduledOverlapped.I
> OCallback(UInt32 errorCode, UInt32 numBytes,
> NativeOverlapped* nativeOverlapped)
> at
> System.Runtime.Fx.IOCompletionThunk.UnhandledException
> Frame(UInt32 error, UInt32 bytesRead,
> NativeOverlapped* nativeOverlapped)
> at
> System.Threading._IOCompletionCallback.PerformIOComple
> tionCallback(UInt32 errorCode, UInt32 numBytes,
> NativeOverlapped* pOVERLAP)
>

> System.ServiceModel.FaultException:
> The message with Action
> 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/
> SCT' cannot be processed at the receiver, due to a
> ContractFilter mismatch at the EndpointDispatcher.
> This may be because of either a contract mismatch
> (mismatched Actions between sender and receiver) or a
> binding/security mismatch between the sender and the
> receiver. Check that sender and receiver have the
> same contract and the same binding (including
> security requirements, e.g. Message, Transport,
> None).

>

>

mbenzel
Offline
Joined: 2010-03-23

Thanks for the info on the separate wsit-client files. The callbacks work now.

Here is the info from the log:

mbenzel
Offline
Joined: 2010-03-23

I forgot to wrap the lines. Hopefully this is better:

jdg6688
Offline
Joined: 2005-11-02

Ok.

So you already get the issuede token form the STS and sent request
to the service.

The issue is that you have


in the service wsdl. The Timestamp should be signed automatically. So when such a policy asseriton is in the policy we sign the Timestamp twice which is not the service expected.

Question:

Why you have it in the wsdl? Is it created automatically (we didn't see it before when interop with .Net)? Can you remove it?

mbenzel
Offline
Joined: 2010-03-23

Not sure why it is that way in the wsdl but I'm pretty sure we can remove it (I didn't create the service but it is only for testing purposes). I noticed that there are 2 of the following in the wsdl:



Just making sure - is that what you are referring to?

Thanks

jdg6688
Offline
Joined: 2005-11-02

Yes. Remove both of them.

mbenzel
Offline
Joined: 2010-03-23

That did the trick. So now I am getting the correct result.

Thanks so much for your help.

As I mentioned in an earlier email, the endpoint in the STS that I really want to be able to use is kerberosmixed and not usernamemixed (I thought it would be easier to start with username). Is there anything I need to watch out for?

Thanks again.

mbenzel
Offline
Joined: 2010-03-23

Well, I thought moving on to Kerberos would be more straightforward once I got username/password to work. However, there seems to be an issue having to do with the STS wsdl file (guessing) and it is not clear to me what the error message is trying to tell me. I followed an example by Ashutosh Shahi (Building Kerberos-Based Secure Services Using Metro) and added a KerberosConfig as he did in his blog but the error I am getting refers to KerberosToken.

Exception = javax.xml.ws.WebServiceException: java.lang.UnsupportedOperationException: addKeyBinding for Assertion[com.sun.xml.ws.security.impl.policy.KerberosToken] {
assertion data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'KerberosToken'
value = 'null'
optional = 'false'
ignorable = 'false'
attributes {
name = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy:IncludeToken', value = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once'
}
}
no parameters
nested policy {
namespace version = 'v1_5'
id = 'null'
name = 'null'
vocabulary {
1. entry = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy:WssGssKerberosV5ApReqToken11'
}
assertion set {
Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'WssGssKerberosV5ApReqToken11'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}
}
}
}is not supported

mbenzel
Offline
Joined: 2010-03-23

In stepping through in the debugger, it appears that the STS wsdl has elements specified in an order that Metro doesn't like.

TransportBindingProcessor::processSupportingTokens(EndorsingSupportingTokens est) is invoking TokenProcessor::addKeyBinding which throws the exception since it doesn't handle KerberosToken.

mbenzel
Offline
Joined: 2010-03-23

I'm going to move my question to a new thread.

jebricker
Offline
Joined: 2009-05-18

I'm in a similar situation. The attach files are how I'm doing the passwordCallback and SAMLCallback in the app.

I will try out the separate store for the truststore for the SSL cert.

I am also specifying the endpoint in EndorsingSupportingTokens element. My issuerAddress is a bit different
https://sd-tapping01.amp.icepoc.com/adfs/services/trust/

I'm using a username binding: UserNameWSTrustBinding_IWSTrust13Async

jebricker
Offline
Joined: 2009-05-18

To enable debug log for SSL on the client side, use
-Djavax.net.debug=all

I'm having issues with attaching the metro files to the Library in NetBeans. I go through the exercise of associating them with the Library ( via Tools->Libraries select Metro and tab sources), but I always get a source not found.

jdg6688
Offline
Joined: 2005-11-02

Can you share the STS wsdl with the configuration of
message authentication and message security?

Just curious what is there? Do they have Kerberos token as
a ProtectionToken in SymmetricBinding?

Thanks!

Jiandong

jebricker
Offline
Joined: 2009-05-18

I'm still stuck in getting the SAML token from ADFS. I've gotten to the point where metro is asking the SecurityTokenService for the MEX data. SecurityTokenService and MEX endpoint are https protocol and I wondered if this was not the problem. I've been trying to figure out how to get a debug trace to figure out what is happening but I have been unsuccessful. I can reach the Mex endpoint with a browser so it is working fine.

So if the server needs a cert plus I need a SSL cert for the transport, which one goes in the truststore and which in the keystore.

jdg6688
Offline
Joined: 2005-11-02

1. To enable debug log for SSL on the client side, use
-Djavax.net.debug=all

You may find the trust store for SSL on the client side.

2. Is your SSL server certificate issued from a CA or self signed?

2.1 I Check if the trust store (cacerts.jks in Glassfish or in JDK for standalone client)
to see if it contained the CA cert for your SSL server cert? OR fro self signed SSL cert,
you need to put itself there.

2.2 If your cert CN name matches the host name. By default we will do the check.
If not you may get around it with custom HostnameVerifier

static {
//WORKAROUND. TO BE REMOVED.
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
new javax.net.ssl.HostnameVerifier(){
public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
return true;
}
});
}

mbenzel
Offline
Joined: 2010-03-23

Thanks for the response. I am able to use SSL fine. To answer your questions:

1. I have been using -Djavax.net.debug=all to monitor the SSL traffic and also using Fiddler2 to see the actual traffic

2. The SSL certificate is self-signed
2.1 I created a separate truststore into which I placed the SSL server cert. I have tried to configure that truststore in the wsit-client.xml file but that sometimes does not work. Therefore, for now for testing purposes I put it on the command line which seems to work:

-Djavax.net.ssl.trustStore=C:/test/mycacerts.jks -Djavax.net.ssl.trustStorePassword=changeit

2.2 The CN name matches the host name

The part that does not seem to be working is the next part where there needs to be some sort of authentication in order for a SAML token to be issued. Note that in the Mex.wsdl file, there are several endpoints that can be used for this authentication. From a .NET client I can specify either the kerberosmixed (KerberosWSTrustBinding_IWSTrustFeb2005Async) or usernamemixed (UserNameWSTrustBinding_IWSTrustFeb2005Async) endpoints and they work fine.

I am attempting to use the usernamemixed endpoint from a Java client but cannot seem to get it to work. I am specifying the enpoint in the sp:EndorsingSupportingTokens element and setting the Issuer Address to:

https://w20082-64-lee.symyx.com/adfs/services/trust/2005/usernamemixed

I am attempting to set the username/password with a callbackhandler but I am not clear where to put this in the wsit-client.xml file.

I get an exception that states the following so perhaps I am not successful in setting the username/password (my callback class never gets called):

Exception = javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.

One difference in the SOAP headers between the .NET and Java clients is that for the .NET client the SOAP header contains the following element:

o:Security [ s:mustUnderstand=1 xmlns:o=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd ]

while from the Java client, this element is not included. Ideally, in the long run, I would like to get the kerberosmixed endpoint to work.

Thanks again for your help with this.

jdg6688
Offline
Joined: 2005-11-02

You may find an example here:

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/basic/

In particular the client: http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/basic/src/f...

You have two endpoints: the service and the STS.

The one for STS has the Callback handler fro username password.

jdg6688
Offline
Joined: 2005-11-02

Also another issue is that the ws-securitypolicy and ws-trust versions for the service
and the sts are different.
That is why the security is not enabled for the STS.

So you need to set the version of trust version for
STS in the wsit-client.xml with:

in the policy referenced by the service endpoint.

mbenzel
Offline
Joined: 2010-03-23

Thanks for pointing me to the sample. I am doing something similar in my wsit-client.xml file but it seems as if my Policy entries are not being used. For example, in the sample there is a ClientKeyStorePolicy for the service in which there is a TrustStore element. If I use the same construct and put the path and password for my truststore, it does not seem to get read. The default is used instead. If I put the reference on the command line, then my truststore is used.

A similar thing seems to happen for the Policy I use for the STS. From the exception printed to the console, it knows there should be a username callback handler and I have provided one, but it does not get called. Here is the error:

SEVERE: WSS1500: Username Handler Not Configured properly using Callback and is null. (not cofigured)

And the Policy contains the following (essentially copied from the sample):

xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client" >








If I do something like rename the Policies, then there is a parse error stating that they are not defined so it seems they are being read.

mbenzel
Offline
Joined: 2010-03-23

Actually, now that I look at the message from the exception closer, perhaps the problem is due to the following. What it seems to be saying is that a policy could not be found for msf:WindowsTransportSecurity and so it attempted to default to Username Handler which wasn't implemented. msf:WindowsTransportSecurity comes from NetTcpBinding_IWSTrustFeb2005Async in the STS wsdl. Not sure what I need to enter for this in the wsit-client.xml.

Mar 26, 2010 1:43:32 PM [com.sun.xml.ws.policy.EffectiveAlternativeSelector] selectAlternatives
WARNING: WSP0075: Policy assertion "{http://schemas.microsoft.com/ws/06/2004/mspolicy/netbinary1}BinaryEncoding" was evaluated as "UNKNOWN".
Mar 26, 2010 1:43:32 PM com.sun.xml.ws.security.impl.policy.Constants log_invalid_assertion
WARNING: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://schemas.microsoft.com/ws/2006/05/framing/policy'
prefix = 'msf'
local name = 'WindowsTransportSecurity'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
parameters {
Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion parameter data {
namespace = 'http://schemas.microsoft.com/ws/2006/05/framing/policy'
prefix = 'msf'
local name = 'ProtectionLevel'
value = 'EncryptAndSign'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
}
}
no nested policy
} is not supported under Token assertion.
Mar 26, 2010 1:43:32 PM [com.sun.xml.ws.policy.EffectiveAlternativeSelector] selectAlternatives
WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".
Mar 26, 2010 1:43:32 PM [com.sun.xml.ws.policy.EffectiveAlternativeSelector] selectAlternatives
WARNING: WSP0075: Policy assertion "{http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication" was evaluated as "UNKNOWN".
Mar 26, 2010 1:43:32 PM [com.sun.xml.ws.policy.EffectiveAlternativeSelector] selectAlternatives
WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".
Mar 26, 2010 1:43:32 PM com.sun.xml.wss.impl.misc.DefaultCallbackHandler handleUsernameCallback
SEVERE: WSS1500: Username Handler Not Configured properly using Callback and is null. (not cofigured)
Mar 26, 2010 1:43:32 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getUsername
SEVERE: WSS0216: An Error occurred using Callback Handler for : UsernameCallback
Mar 26, 2010 1:43:32 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getUsername
SEVERE: WSS0217: An Error occurred using Callback Handler handle() Method.
javax.security.auth.callback.UnsupportedCallbackException: Username Handler Not Configured

jdg6688
Offline
Joined: 2005-11-02

This is fine. Is the client policy with the call back handlers referenced by the STS client?
The service name, binding, etc should match the one in STS wsdl.

Can you post it?

Try to set the username, password programmatically in the client to see if it works first:

((javax.xml.ws.BindingProvider)port).getRequestContext().put(com.sun.xml.wss.XWSSConstants.USERNAME_PROPERTY, "alice");
((javax.xml.ws.BindingProvider)port).getRequestContext().put(com.sun.xml.wss.XWSSConstants.PASSWORD_PROPERTY, "passwd");

>
> Mar 26, 2010 1:43:32 PM
> [com.sun.xml.ws.policy.EffectiveAlternativeSelector]
> selectAlternatives
> ARNING: WSP0075: Policy assertion
> "{http://schemas.microsoft.com/ws/06/2004/mspolicy/net
> binary1}BinaryEncoding" was evaluated as "UNKNOWN".
> Mar 26, 2010 1:43:32 PM
> com.sun.xml.ws.security.impl.policy.Constants
> log_invalid_assertion
> WARNING: SP0100: Policy assertion
> Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPol
> icyAssertionCreator$DefaultPolicyAssertion] {
> assertion data {
> namespace =
> 'http://schemas.microsoft.com/ws/2006/05/framing/poli
> y'
> prefix = 'msf'
> local name = 'WindowsTransportSecurity'
> value = 'null'
> optional = 'false'
> ignorable = 'false'
> no attributes
> }
> parameters {
>
> ssertion[com.sun.xml.ws.policy.sourcemodel.DefaultPoli
> cyAssertionCreator$DefaultPolicyAssertion] {
> assertion parameter data {
> namespace =
> 'http://schemas.microsoft.com/ws/2006/05/framing/poli
> y'
> prefix = 'msf'
> local name = 'ProtectionLevel'
> value = 'EncryptAndSign'
> optional = 'false'
> ignorable = 'false'
> no attributes
> }
> no parameters
> no nested policy
> }
> no nested policy
> is not supported under Token assertion.
> ar 26, 2010 1:43:32 PM
> [com.sun.xml.ws.policy.EffectiveAlternativeSelector]
> selectAlternatives
> ARNING: WSP0019: Suboptimal policy alternative
> selected on the client side with fitness
> "PARTIALLY_SUPPORTED".
> Mar 26, 2010 1:43:32 PM
> [com.sun.xml.ws.policy.EffectiveAlternativeSelector]
> selectAlternatives
> ARNING: WSP0075: Policy assertion
> "{http://schemas.microsoft.com/ws/06/2004/policy/http}
> NegotiateAuthentication" was evaluated as "UNKNOWN".
> Mar 26, 2010 1:43:32 PM
> [com.sun.xml.ws.policy.EffectiveAlternativeSelector]
> selectAlternatives
> ARNING: WSP0019: Suboptimal policy alternative
> selected on the client side with fitness
> "PARTIALLY_SUPPORTED".
> Mar 26, 2010 1:43:32 PM
> com.sun.xml.wss.impl.misc.DefaultCallbackHandler
> handleUsernameCallback
> SEVERE: WSS1500: Username Handler Not Configured
> properly using Callback and is null. (not cofigured)
> Mar 26, 2010 1:43:32 PM
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentIm
> pl getUsername
> SEVERE: WSS0216: An Error occurred using Callback
> Handler for : UsernameCallback
> Mar 26, 2010 1:43:32 PM
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentIm
> pl getUsername
> SEVERE: WSS0217: An Error occurred using Callback
> Handler handle() Method.
> javax.security.auth.callback.UnsupportedCallbackExcept
> ion: Username Handler Not Configured

mbenzel
Offline
Joined: 2010-03-23

I have attached the wsit-client file I am using.

If I set the username and password programmatically, then I get past the problem of not finding the callback handlers and if I look at the SOAP messages, there is now a Security element in the header that contains the proper username and password.

My client code is now almost identical to that in the following sample (except for the fact that I am writing a standalone java client and not a servlet):

http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/basic/src/c...

At this point the error I am getting is:

Exception = javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.

The SOAP messages from my Java client are very similar to the ones from the .NET client so I believe I am close.

Thanks again for the help.

jdg6688
Offline
Joined: 2005-11-02

> I have attached the wsit-client file I am using.

The name space for STS in wsit-client.xml doesn't match the one in STS wsdl:
"http://tempuri.org/" vs. ="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"

That is the reason the call back handler was not invoked.

>
> If I set the username and password programmatically,
> then I get past the problem of not finding the
> callback handlers and if I look at the SOAP messages,
> there is now a Security element in the header that
> contains the proper username and password.
>
> My client code is now almost identical to that in the
> following sample (except for the fact that I am
> writing a standalone java client and not a servlet):
>
> http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws
> -trust/basic/src/common/ClientServlet.java
>
> At this point the error I am getting is:
>
> Exception = javax.xml.ws.soap.SOAPFaultException: An
> error occurred when verifying security for the
> message.
This is a generic error code from .Net. it could be username/password are not connect or the time is not in sync, etc. Check the stack trace on the STS to see the real reason.

Thanks!

Jiandong

>
> The SOAP messages from my Java client are very
> similar to the ones from the .NET client so I believe
> I am close.
>
> Thanks again for the help.

mbenzel
Offline
Joined: 2010-03-23

Regarding the .NET error, I turned on WCF tracing and noticed the following:


System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message security verification failed.

at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.Start()
at System.Runtime.ActionItem.DefaultActionItem.Invoke()
at System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)
at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#_1' URI in the signature to compute the digest.
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver, Object signatureTarget, String id)
at System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml signedXml, Boolean isFromDecryptedSource)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
--- End of inner exception stack trace ---


System.Security.Cryptography.CryptographicException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Unable to resolve the '#_1' URI in the signature to compute the digest.

at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver, Object signatureTarget, String id)
at System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml signedXml, Boolean isFromDecryptedSource)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)

System.Security.Cryptography.CryptographicException: Unable to resolve the '#_1' URI in the signature to compute the digest.
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver, Object signatureTarget, String id)
at System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml signedXml, Boolean isFromDecryptedSource)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)


I also noticed some posts by you from 2008 where you mentioned there was a bug in WCF and to set establishsecuritycontext="false" in the web.config file. This threw a different type of exception:


System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The message with Action 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT' cannot be processed at the receiver, due to a ContractFilter mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver) or a binding/security mismatch between the sender and the receiver. Check that sender and receiver have the same contract and the same binding (including security requirements, e.g. Message, Transport, None).

at System.ServiceModel.Dispatcher.ErrorBehavior.ThrowAndCatch(Exception e, Message message)
at System.ServiceModel.Dispatcher.ChannelHandler.ReplyFailure(RequestContext request, Message fault, String action, String reason, FaultCode code)
at System.ServiceModel.Dispatcher.ChannelHandler.ReplyFailure(RequestContext request, FaultCode code, String reason, String action)
at System.ServiceModel.Dispatcher.ChannelHandler.ReplyContractFilterDidNotMatch(RequestContext request)
at System.ServiceModel.Dispatcher.ChannelHandler.EnsureChannelAndEndpoint(RequestContext request)
at System.ServiceModel.Dispatcher.ChannelHandler.TryRetrievingInstanceContext(RequestContext request)
at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.ServiceModel.Diagnostics.TraceUtility.<>c__DisplayClass4.<CallbackGenerator>b__2(AsyncCallback callback, IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)
at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread)
at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread)
at System.ServiceModel.Channels.HttpChannelListener.HttpContextReceived(HttpRequestContext context, Action callback)
at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state)
at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

System.ServiceModel.FaultException: The message with Action 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT' cannot be processed at the receiver, due to a ContractFilter mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver) or a binding/security mismatch between the sender and the receiver. Check that sender and receiver have the same contract and the same binding (including security requirements, e.g. Message, Transport, None).

With regard to the callback and the namespaces, I guess I'm not clear on what I would all need to change. In the wsit-client.xml file, in the section for the tc:PreconfiguredSTS, I had already set the namespace of the STS to that which is in the STS wsdl file (the one I called Mex.wsdl). Do I need to set the targetNamespace in the STS wsdl file to be http://tempuri.org so that all namespaces are the same?

jdg6688
Offline
Joined: 2005-11-02

> With regard to the callback and the namespaces, I
> guess I'm not clear on what I would all need to
> change. In the wsit-client.xml file, in the section
> for the tc:PreconfiguredSTS, I had already set the
> namespace of the STS to that which is in the STS wsdl
> file (the one I called Mex.wsdl). Do I need to set
> the targetNamespace in the STS wsdl file to be
> http://tempuri.org so that all namespaces are the
> same?

It is required that wsit-client.xml matches the corresponding wsdl.

In your case, the targetNamespace="http://tempuri.org/" in wsit-client.xml but
targetNamespace="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice".

You may pull out the one for STS from wsit-client.xml in a separate file: sts-client.xml.
Setting the target namespace properly there and then import sts-client.xml in wsit-client.xml:

jebricker
Offline
Joined: 2009-05-18

I'm having the same problems with the Username Handler Not Configured exception.

WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
SEVERE: WSS1500: Username Handler Not Configured properly using Callback and is null. (not cofigured)
SEVERE: WSS0216: An Error occurred using Callback Handler for : UsernameCallback
SEVERE: WSS0217: An Error occurred using Callback Handler handle() Method.
javax.security.auth.callback.UnsupportedCallbackException: Username Handler Not Configured

I have checked the targetednamespace and I am setting the user name a password in the code

((javax.xml.ws.BindingProvider)port).getRequestContext().put(com.sun.xml.wss.XWSSConstants.USERNAME_PROPERTY, "alice");
((javax.xml.ws.BindingProvider)port).getRequestContext().put(com.sun.xml.wss.XWSSConstants.PASSWORD_PROPERTY, "alicePassword");

jdg6688
Offline
Joined: 2005-11-02

The call back handler for username should be specified in the configuration for the STS client, not the service client. That is in the policy "STSClientKeystorePolicy"

jebricker
Offline
Joined: 2009-05-18

I've gotten past most of the problems with the help of the samples and this form. This latest one must be something I'm missing in my config.

As near as I can tell it is not picking up the signed parts from the WSDL. Do the signed parts need to be in the wsit-client.xml?

I've attached the wsdl for the service I'm going to ( not the STS service).

WARNING: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'MustNotSendAmend'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
} is not supported under SecureConversationToken assertion.
SEVERE: SEC2004: Container-auth: wss: Error securing request
java.lang.NullPointerException
at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.requireSC(BindingProcessor.java:334)
at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.addPrimaryTargets(BindingProcessor.java:314)
at com.sun.xml.ws.security.impl.policyconv.SymmetricBindingProcessor.process(SymmetricBindingProcessor.java:154)

[code]

















[/code]

suresh

On Wednesday 14 April 2010 01:06 AM, metro@javadesktop.org wrote:
> I've gotten past most of the problems with the help of the samples and this form. This latest one must be something I'm missing in my config.
>
> As near as I can tell it is not picking up the signed parts from the WSDL. Do the signed parts need to be in the wsit-client.xml?
>
> I've attached the wsdl for the service I'm going to ( not the STS service).
>
> WARNING: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
> assertion data {
> namespace = 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
> prefix = 'sp'
> local name = 'MustNotSendAmend'
> value = 'null'
> optional = 'false'
> ignorable = 'false'
> no attributes
> }
> no parameters
> no nested policy
> } is not supported under SecureConversationToken assertion.
> SEVERE: SEC2004: Container-auth: wss: Error securing request
> java.lang.NullPointerException
> at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.requireSC(BindingProcessor.java:334)
> at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.addPrimaryTargets(BindingProcessor.java:314)
> at com.sun.xml.ws.security.impl.policyconv.SymmetricBindingProcessor.process(SymmetricBindingProcessor.java:154)
>
> [code]
>

we fixed the NPE recently .
if you use the latest nightly builds , you can overcome this NPE
Thanks
Suresh

>
>
>
>
>
>
>
>
>
>
>
>
>

>
>

>

>

> [/code]
> [Message sent by forum member 'jebricker']
>
> http://forums.java.net/jive/thread.jspa?messageID=396759
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

d039113
Offline
Joined: 2007-01-11

Let me comment on the Kerberos related parts as I'd also been looking into this.
My plan was using SSO from a Java desktop application to an SAP backend system , where the ws-consumer would use Kerberos for initial authentication at the ADFS 2.0 STS and obtain an SAML 1.1 or SAML 2.0 token.

I got Kerberos in general working, i.e. managed to obtain windows integrated authentication protected document from a IIS web server from a Java application.

The bindings in ADFS 2.0 are preconfigured, so there is no option of adding additional bindings. ADFS has bindings using transport authentication and transport security or using message authentication and message security or mixed.

The simplest would be SPNego (->transport authentication) with transport security(SSL), but this is not supported by Metro. The alternative would be using windows authentication with message security, but this is using a symmetric binding with a SPNegoContextToken as protection token.
From my understanding SPNegoContextToken is also not supported, so I'd guess getting a token with Kerberos from ADFS 2.0 is not possible.

I'd see the possible alternatives:
1) Setup a configuration using two STS, one based on Metro using a kerberos binding and one ADFS. First get a SAML 2.0 token from the Metro STS and send this to ADFS to obtain a token from that one.
2) Rewrite the WSDL to use a SAML Token instead of an IssuedToken and use the callback handler to obtain a SAML token form the ADFS 2.0, i.e. using http://spnego.sourceforge.net/

jdg6688
Offline
Joined: 2005-11-02

In the STS wsdl from this user's post, it actually has an endpoint with policy of TransportBindings
of Kerberos Token as an EndorsingSUpportingToken.

No need to use SpNego with it.

mbenzel
Offline
Joined: 2010-03-23

Here is more information on what I have attempted to do.

We have a simple web service running that have a GetData method which simply returns a number passed to it. That web service requires a SAML token from ADFS.

The first step was to write a .NET client which calls the web service GetData method. When generating the proxies from the web service wsdl, a lot of information gets added to the app.config file regarding how to connect to the token service in order to get the token. Everything works fine from the .NET client point of view. The token service has a large number of authentication endpoints and I can obtain a token using either kerberos or username/password authentication.

The next step was to attempt to write a Java client that also calls the web service GetData method. I not been able to obtain a token from the STS using either kerberos or username/password authentication and in looking at the https traffic, it appears that there is no security token being passed in the request for the token (it is being passed in the .NET client case).

I have attached the wsdls for the web and token service. Any pointers on how to set up a wsit-client.xml appropriately would be a great help.

Thanks

jdg6688
Offline
Joined: 2005-11-02
mbenzel
Offline
Joined: 2010-03-23

I have been attempting to following this. When working with Quality of Service, only Keystore is enabled. So I entered in Keystore and Truststore values manually as mentioned in the instructions. If I open Edit Web Service Attributes after this, only Keystore is still enabled.

Also, in the instructions there is the following:

Expand the Security Token Service node to provide details for the STS to be used. When the Endpoint and the Metadata values are the same, you only need to enter the Endpoint value. For the Endpoint field, enter the following value: http://localhost:8080/MySTSProject/MySTSService. For WS Trust Version field, select 1.3 if STS endpoint uses ".NET 3.5 / Metro 1.3" version compatibility. Otherwise use the default WS Trust Version.

There is no Security Token Service node.

jdg6688
Offline
Joined: 2005-11-02

> I have been attempting to following this. When
> working with Quality of Service, only Keystore is
> enabled. So I entered in Keystore and Truststore
> values manually as mentioned in the instructions. If
> I open Edit Web Service Attributes after this, only
> Keystore is still enabled.

It is TransportBinding (SSL is used). So no Truststore is needed on the client side.
>
> Also, in the instructions there is the following:
>
> Expand the Security Token Service node to provide
> details for the STS to be used. When the Endpoint and
> the Metadata values are the same, you only need to
> enter the Endpoint value. For the Endpoint field,
> enter the following value:
> http://localhost:8080/MySTSProject/MySTSService. For
> WS Trust Version field, select 1.3 if STS endpoint
> uses ".NET 3.5 / Metro 1.3" version compatibility.
> Otherwise use the default WS Trust Version.
You don't need this step since the STS information is specified in the
service WSDL.

>
> There is no Security Token Service node.

mbenzel
Offline
Joined: 2010-03-23

Did you ever figure out what you all needed to do? I am attempting to do the same thing and am not getting anywhere. Any pointers would be greatly appreciated.

jdg6688
Offline
Joined: 2005-11-02

If you just want to get SAML assertion from STS, check out the code in getSAMLAssertionFromSTS in
http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/validate/sr...

gchoi
Offline
Joined: 2012-03-19

I am working on to build RequestSecurityToken to send to ADFS2.0 to receive RequestSecurityTokenResponse that contains Assertion token. This is my case. A user logged on my application over browser based Single Sign On. My application is set up as Relying Party A in ADFS2.0 and I have assertion token for the user from Relying Pary B. Now I need to exchange this Assertion token with another Relying Party B in ADFS.0 to get assertion token related to Relying Party B for the user. Could any one tell me how my RequestSecurityToken suppposed to look like?

Thanks.

Gina