How to validate SAML2.0 Assertion in interoperable WCF-service

I'm scratching my eyes out for a couple of days now, to get my WCF-service validate a simple SAML2 Assertion. I'm testing it with an Axis2 client, but it should support Java, C++, etc, too.

I only want to do a few validations on the token: 1. Certificate issuer (from a list of valid issuers) 2. Certificate date 3. Audience URL

So I should be able to do a custom certificate validation. The certificate is not known on the server, it is part of the SAML assertion. This is the SAML assertion used:

<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485"> 
<ds:Transforms> 
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">     <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
  </ds:Transform> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>     <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo>  
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue> 
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>emailAddress=info@demo.com,CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>

I tried the wsHttpBinding, wsFederationHttpBinding, ws2007FederationHttpBinding, even a customBinding. With or without WIF? I don't know anymore.

I'm currently struggling with this error:

SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = KeyNameIdentifierClause(KeyName = 'risdemo.delftdi.com'),
Clause[1] = X509RawDataKeyIdentifierClause(RawData = MI....mQ=)
)
`. Ensure that the SecurityTokenResolver is populated with the required key.

My Binding:

<wsHttpBinding>
    <binding name="_HTTP">
      <security mode="Message">
        <transport clientCredentialType="None" proxyCredentialType="None" />
        <message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
          establishSecurityContext="False"/>
      </security>
    </binding>
</wsHttpBinding>

ServiceCredentials:

<serviceCredentials>
        <issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
          <allowedAudienceUris>
            <add allowedAud开发者_开发知识库ienceUri="http://blabla"/>
          </allowedAudienceUris>
        </issuedTokenAuthentication>
        <serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
          storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
      </serviceCredentials>

WIF:

<microsoft.identityModel>
<service>
  <audienceUris>
    <add value="http://blabla"/>
  </audienceUris>
  <securityTokenHandlers>
    <clear />
    <add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
    <!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
      <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
      <certificateValidation>
        <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
      </certificateValidation>
      <issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
      </issuerNameRegistry>
      <tokenReplayDetection enabled="false"></tokenReplayDetection>
      <audienceUris mode="Always">
        <add value="http://blabla"/>
      </audienceUris>
    </securityTokenHandlerConfiguration>  -->   
  </securityTokenHandlers>
  <!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
  <certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
    <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
  </certificateValidation>
</service>

I'd really like to override the certification validation, like on this page: http://msdn.microsoft.com/en-us/library/ms733806.aspx. But I can't seem to get it working, none of the possible customvalidations is hitting the overridden Validate() function.

Is there anyone who can at least give me a direction, please?

Thanks in advance!

Regards,

Dirco

Out of the box WIF validations don't work? On the surface, it looks like WIF should do all these without any customizations/extensions. Check the WIF SDK samples or the Web Services samples here.