0

I am processing a SAML2 token in WIF which contains an EncryptedAssertion. The mark-up does NOT contain a "Subject Identifier Key" Extension property and as such WIF SecurityTokenHandler fails as it tries to get the correct X509 certificate from the LocalMachineStore/Personal.

The issue is clearly that the certificate used to encrypt the token does not contain the SKI Extension and of course the token generation code (Java) does not do seem to require it. To avoid having to modify the generation code is there a way I can get WIF SecuityTokenResolver to NOT check the received Token for the SKI but simply use the local store certificate directly to decrypt the token?

Redeemed1
  • 3,953
  • 8
  • 38
  • 63

1 Answers1

4

In the end I just implemented a custom SecurityTokenResolver and implemented the TryResolveSecurityKeyCore method.

Here is the code:

public class mySaml2SSOSecurityTokenResolver : SecurityTokenResolver
{
    List<SecurityToken> _tokens;

    public PortalSSOSecurityTokenResolver(List<SecurityToken> tokens)
    {
        _tokens = tokens;
    }
    protected override bool TryResolveSecurityKeyCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityKey key)
    {
        var token = _tokens[0] as X509SecurityToken;

        var myCert = token.Certificate;

        key = null;

        try
        {

            var ekec = keyIdentifierClause as EncryptedKeyIdentifierClause;

            if (ekec != null)
            {

                switch (ekec.EncryptionMethod)
                {

                    case "http://www.w3.org/2001/04/xmlenc#rsa-1_5":
                        {
                            var encKey = ekec.GetEncryptedKey();

                            var rsa = myCert.PrivateKey as RSACryptoServiceProvider;

                            var decKey = rsa.Decrypt(encKey, false);

                            key = new InMemorySymmetricSecurityKey(decKey);

                            return true;

                        }

                }

                var data = ekec.GetEncryptedKey();

                var id = ekec.EncryptingKeyIdentifier;

            }

        }

        catch (Exception ex)
        {
           // Do something here            }

            return true;

    }

    protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifierClause keyIdentifierClause, out System.IdentityModel.Tokens.SecurityToken token)
    {
        throw new NotImplementedException();
    }

    protected override bool TryResolveTokenCore(System.IdentityModel.Tokens.SecurityKeyIdentifier keyIdentifier, out System.IdentityModel.Tokens.SecurityToken token)
    {
        throw new NotImplementedException();
    }
}

}

Redeemed1
  • 3,953
  • 8
  • 38
  • 63