6

I need to create a .NET client for a wso2 Secure Token Service.

Normally I would create a simple console or WinForm project adding a Service Reference to it. The exposed WSDL would be turned in a set of classes that I can use to query the service and to properly manage its response.

Unfortunately, the generated request and response classes are empty: just the class declaration without any property or method. This is similar to the behaviour described in this other (unanswered) Stack Overflow question https://stackoverflow.com/q/22049080/2131913

I have found a sample request for the service in this forum post: http://cxf.547215.n5.nabble.com/Sample-STS-Client-tp4643980p4664175.html and I made it to work with SOAP UI.

Is there a proper, and possibly automated, way to recreate the complex data structure needed to query the Secure Token Service?

EDIT

OK, after many tries I have reduced the SOAP request from the above forum post to the minimal structure needed to still get a RequestSecurityTokenResponse from the STS service.

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-6D35592DCDDA26FFF3141578725699577">
        <wsse:Username>USERNAME HERE</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD HERE</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp wsu:Id="TS-6D35592DCDDA26FFF3141578725699576">
        <wsu:Created>2014-11-12T10:14:16.995Z</wsu:Created>
        <wsu:Expires>2014-11-12T10:16:16.995Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
    <wsa:Action soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</wsa:Action>
    <wsa:MessageID soap:mustUnderstand="1">uuid:6d4eab69-77f9-42b7-8d6b-1f710020fb0b</wsa:MessageID>
    <wsa:To soap:mustUnderstand="1">STS ENDPOINT ADDRESS HERE</wsa:To>
  </soap:Header>
  <soap:Body>
    <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
      <wst:Claims>
        <wsid:ClaimType Uri="http://wso2.org/claims/userid" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
      </wst:Claims>
    </wst:RequestSecurityToken>
  </soap:Body>
</soap:Envelope>

I have obtained a partial success defining in the app.config of my project either a single wsHttpBinding like the following:

  <wsHttpBinding>
    <binding name="SendUsername"  messageEncoding="Text">
      <security mode ="TransportWithMessageCredential">
        <message clientCredentialType ="UserName"/>
        <transport clientCredentialType ="Basic" />
      </security>
    </binding>
  </wsHttpBinding>

with or without adding a CustomBinding like the following:

<customBinding>
     <binding name="wso2carbon-stsSoap12Binding">
      <security defaultAlgorithmSuite="Default" authenticationMode="IssuedToken"
        requireDerivedKeys="true" securityHeaderLayout="Lax" includeTimestamp="true">
        <localClientSettings detectReplays="false" />
        <localServiceSettings detectReplays="false" />
        <issuedTokenParameters keyType ="SymmetricKey" tokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
          <issuer address =STS ENDPOINT ADDRESS HERE binding ="wsHttpBinding" bindingConfiguration ="SendUsername"/>
          <claimTypeRequirements>
            <add claimType ="http://wso2.org/claims/userid"/>
          </claimTypeRequirements>
        </issuedTokenParameters>
      </security>
      <textMessageEncoding messageVersion="Soap12" />
      <httpsTransport />
    </binding>
  </customBinding>

In both cases however the request throws a timeout exception, and inspecting with WCF tracing the issued request I can see that it is missing the Claims element. Any hints?

Community
  • 1
  • 1
sblandin
  • 904
  • 4
  • 11
  • 25

2 Answers2

4

Please refer this article

Security Token Service with WSO2 Identity Server 2.0

For more insight on this please refer:

http://wso2.com/library/3190/

Configuring WSO2 Identity Server Passive STS with an ASP.NET Client

tk_
  • 16,415
  • 8
  • 80
  • 90
  • 1
    Thanks for the link, but they can't help me for two reason. The first one is that I don't have access to the service configuration, and the second one is that the samples are in Java and I need a .NET client – sblandin Nov 17 '14 at 08:49
2

After many days struggling with WCF configuration option I have obtained a partial success.

The key that allows me to obtain a response from the Security Token Service is that I realized that, in the long term, I will need to operate in a federated security scenario. I don't need the token per se, but I need it to obtain a mean to authenticate to other services.

With this option in mind I started to explore what WCF has to offer for this kind of scenario and I built the following configuration options:

  <wsFederationHttpBinding>
    <binding name="fs">
      <security mode="TransportWithMessageCredential">
        <message issuedKeyType="SymmetricKey" issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
          <issuer address = <!-- STS address here --> binding ="customBinding" bindingConfiguration ="StsBinding"/>
          <claimTypeRequirements>
            <add claimType="http://wso2.org/claims/userid" />
          </claimTypeRequirements>
        </message>
      </security>
    </binding>
  </wsFederationHttpBinding>

The above binding is used to contact the service that needs token authentication while the following adds further instructions about how to contact the security token issuer:

  <customBinding>
    <binding name="StsBinding">
      <textMessageEncoding messageVersion="Soap12WSAddressingAugust2004"/>
      <useManagedPresentation/>
      <security authenticationMode="UserNameOverTransport" includeTimestamp ="true" keyEntropyMode ="ServerEntropy" securityHeaderLayout ="Lax"   
                messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" >
      </security>
      <httpsTransport authenticationScheme ="Basic"/>
    </binding>
  </customBinding>

With this configuration, and with the help of Fiddler and WCF trace I can see I get a Security Token Response from the STS issuer.

Howevere as I said, in the beginnig, this was only a partial success because WCF infrastructure, when processing the token, says that it has a wrong action... but this can be the subjet of another question ;-)

I hope this can be considered a valid answer although my quest for token authentication is not yet concluded

sblandin
  • 904
  • 4
  • 11
  • 25