The Hogg Blog

Envisaging the Future by Reflecting on the Past

SAML STS for WSE 3.0 (reposted)

SAML STS for WSE 3.0 (reposted)

  • Comments 17

Every week or so I get another email asking where the sample code for the SAML STS for WSE 3.0 has been moved to now that GotDotNet GotNuked. It wasn't moved anywhere. So I figured I would repost it here for those that needs i. For those new to this you should also take a look at Pablo Cibraro's blog (Pablo was one of the developers on this sample) as he extended this to support credential caching and more.

A few caveats that people should be aware of when looking at this sample code:

  • For obvious reasons, where at all possibly you should seek a WCF based solution first. There still appear to be a few people that cannot use WCF yet - which is why I am reposting this.
  • We did do interop testing between a RC version of WCF and this STS - but this was released before WCF went gold - so if interop is important to you then you should test that.
  • The code within this requires extensive knowledge of .NET security API's. Do not consider deploying this if you do not understand the entire solution.
  • As with all things security related you should ensure you put together an appropriate security threat model and as part of your solution design...
  • And of course batteries are not included!

Most common issues encountered:

  • Configuring the access rights to the certifcates is probably the number one issue people run into. If you need help managing certs / permissions download this awesome tool.

 

Attachment: SAML_STS_for_WSE3_Jan06.zip
Leave a Comment
  • Please add 4 and 3 and type the answer here:
  • Post
  • PingBack from http://msdnrss.thecoderblogs.com/2007/11/21/saml-sts-for-wse-30-reposted/

  • Since the Gotdot.net site disappears along with the code of this implementation, my friend Jason Hogg

  • I keep getting the following error when running this sample...  I followed the installation directions twice on 2 different machines and can't get the sample to work...

    Any ideas?

    txtResponse.Text "Microsoft.Web.Services3.AsynchronousOperationException: WSE101: An asynchronous operation raised an exception. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n\r\nServer stack trace: \r\n   at System.Net.HttpWebRequest.GetResponse()\r\n   at Microsoft.Web.Services3.Messaging.SoapHttpTransport.Send(SoapEnvelope message, EndpointReference destination, SoapHttpChannelOptions options)\r\n   at Microsoft.Web.Services3.Messaging.SoapHttpOutputChannel.Send(SoapEnvelope message)\r\n   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)\r\n   at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)\r\n   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\r\n\r\nException rethrown at [0]: \r\n   at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)\r\n   at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)\r\n   at Microsoft.Web.Services3.Messaging.SoapOutputChannel.SendDelegate.EndInvoke(IAsyncResult result)\r\n   at Microsoft.Web.Services3.Messaging.SoapOutputChannel.EndSend(IAsyncResult result)\r\n   at Microsoft.Web.Services3.Messaging.SoapSender.EndSend(IAsyncResult result)\r\n   at Microsoft.Web.Services3.Messaging.SoapClient.SoapClientAsyncResult.OnSendComplete(IAsyncResult result)\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.Web.Services3.AsyncResult.End(IAsyncResult result)\r\n   at Microsoft.Web.Services3.Messaging.SoapClient.SendRequestResponse(String methodname, SoapEnvelope envelope)\r\n   at Microsoft.Web.Services3.Security.SecurityTokenServiceClient.RequestSecurityToken(SecurityTokenMessage request, String methodName)\r\n   at Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion.SamlTokenServiceClient.RequestSamlToken(AppliesTo appliesTo, Entropy entropy) in C:\\Projects\\ZDW Next Gen POC\\SAML_STS_for_WSE3_Jan06\\WseSaml\\SamlTokenServiceClient.cs:line 115\r\n   at Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion.SamlTokenServiceClient.IssueSamlToken(AppliesTo appliesTo, Entropy entropy) in C:\\Projects\\ZDW Next Gen POC\\SAML_STS_for_WSE3_Jan06\\WseSaml\\SamlTokenServiceClient.cs:line 100\r\n   at Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion.ExplicitClient.MainForm.GetSamlToken() in C:\\Projects\\ZDW Next Gen POC\\SAML_STS_for_WSE3_Jan06\\ExplicitClient\\MainForm.cs:line 76\r\n   at Microsoft.Practices.WSSP.WSE3.QuickStart.SamlAssertion.ExplicitClient.MainForm.btnConsume_Click(Object sender, EventArgs e) in C:\\Projects\\ZDW Next Gen POC\\SAML_STS_for_WSE3_Jan06\\ExplicitClient\\MainForm.cs:line 38" string

  • Almost all errors that people received are due to security permissions on the private keys associated with certificates. See if the aforementioned certificate tool can help you ensure you have granted appropriate access rights.

  • Unfortunately I got the same error like Andrew Krowczyk.

    WSE101: An asynchronous operation raised an exception.

    The internal message is:

    {"The remote server returned an error: (500) Internal Server Error."}

    I can not find any solution. The private keys got ASP.NET rights.

    CAN YOU HELP ME PLEASE?!?!?!

  • The other area that was tricky was ensuring your configuration policies were symetric - ie - your client was configured as your service required. Double check those and your permissions...

  • Get here finally, and get the sample...thanks very much..

  • Do you happen to know of any SAML implementations that work with ASP.Net 1.1?

  • In the Known Issues section of the STS Quick Start Design PDF document, there is mention of a memory leak that may lead to an Out of Memory exception when secure conversation is enabled.  Has a fix been created by anyone for this?

    Thank you.

  • In the Known Issues section of the STS Quick Start Design PDF document, there is mention of a memory leak that may lead to an Out of Memory exception when secure conversation is enabled.  Has a fix been created by anyone for this?

    Thank you.

  • Sample gives me an error not find certificate "CN=WSE2QuickStartServer".

  • I wanted to modify the namespace of saml to be "urn:oasis:names:tc:SAML:2.0:assertion".  However, when I change the namespace in all of the config files, I receive a CryptographicException WSE502 error.  The details of the error are below.  Why do I receive this error when I change the namespace?

    System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.Security.Cryptography.CryptographicException:  WSE502:  The target element referenced by the following id can not be found in the message:  SecurityToken-d81xx...  Make sure that the element is present at the time when the signing or encryption operation is performed.

    Thank you.

  • It has been a long time since I looked at SAML in detail - and one thing that pops to mind is that the schemas for the assertions may have changed between version 1.1 or 1.2 (can't remember what we implemented) and 2.9. I believe there were significant changes between the versions. Is the error that you are encountering occuring when the receivor (I assume a SAML 2.0 platform) is processing the message or in generating the message?

  • Hi Plz help me

    ItemLookup il = new ItemLookup();

    when i call the OtemLookup method it gives exception WSE101: An asynchronous operation raised an exception

    Plz reply

    Thanks in advance

  • hi,

    great tool, but ... :)

    i'm getting a 500 internal error when trying to access the webservice from another computer. szenario: a server has running the webservices, a client runs the 'Explicit' tool and receives a 500 when trying to obtain a token. i cannot debug the dll even if i attach the debugger to the process. so i don't know what the prob is. has anyone experience with this?

    thanks

Page 1 of 2 (17 items) 12