: Including BinarySecurityToken in the SOAP header

134 views
Skip to first unread message

Gina Choi

unread,
Mar 28, 2012, 9:18:11 PM3/28/12
to d...@shibboleth.net, put...@georgetown.edu
Hi Brent,

Thanks for your responses.

>I don't know what you need to sign. As Scott noted earlier, this isn't
>a WS-* support list. You need to consult the specs for the profile(s)
>that you are implementing, or interop guides for the recipient software,
>or another list where people discuss these sorts of specification and
>conceptual issues. Once you know *what* you need to do, we can help you
>with questions about *how* to do that with OpenSAML.


I try to use X.509 Token Profile
1.1(http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-
x509TokenProfile.pdf
) of the ws 1.3 specification to authenticate client. My ADFS has a
corresponding end point which is
https://strts01.ams.dev/adfs/services/trust/13/certificate. Do you have a
test case similar to this to look at?

Thanks.
Gina

------------------------------

Message: 8
Date: Tue, 27 Mar 2012 17:39:08 -0400
From: Brent Putman <put...@georgetown.edu>
Subject: Re: Including BinarySecurityToken in the SOAP header
To: d...@shibboleth.net
Message-ID: <4F72337C...@georgetown.edu>
Content-Type: text/plain; charset=ISO-8859-1

On 3/26/12 6:47 PM, Gina Choi wrote:
> Hi,
>
> I am planning to add BinarySecurityToken in the SOAP header like
> bellow(http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.pdf
> Line 1630-1669). Do I need to sign RequestSecurityToken or Sign Soap Body
> with the certificate referenced in BinarySecurityToken?


I don't know what you need to sign. As Scott noted earlier, this isn't
a WS-* support list. You need to consult the specs for the profile(s)
that you are implementing, or interop guides for the recipient software,
or another list where people discuss these sorts of specification and
conceptual issues. Once you know *what* you need to do, we can help you
with questions about *how* to do that with OpenSAML.


> What is Base64 encode
> value specified inside BinarySecurityToken(MIIEZzCCA9CgAwIBAgIQEmtJZc0...)
is
> about?


IIRC, that element can carry just about any kind of token, as declared
by its ValueType. In the example below, looks like it illustrates a
encoded X.509 certificate. The key/token types that are valid for
signing will be determined by the profile/specification that you're
implementing, or at least implicitly by what the receiver software
expects/supports.


>
> <S11:Envelope xmlns:S11="..." xmlns:wsse="..."
> xmlns:wsu="..." xmlns:wst="...">
> <S11:Header>
> ...
> <wsse:Security>
> <wsse:BinarySecurityToken wsu:Id="reqToken"
> ValueType="...X509v3">
> MIIEZzCCA9CgAwIBAgIQEmtJZc0...
> </wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="..."> ...
> <ds:KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#reqToken"/>
>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
>
> Thanks.
>
> Gina
> --
> To unsubscribe from this list send an email to
dev-uns...@shibboleth.net


------------------------------

--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net

End of dev Digest, Vol 9, Issue 25
**********************************
--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net

Gina Choi

unread,
Mar 28, 2012, 9:22:05 PM3/28/12
to Gina Choi, d...@shibboleth.net, put...@georgetown.edu
Hi Brent,

Thanks for your responses.

>I don't know what you need to sign. As Scott noted earlier, this isn't
>a WS-* support list. You need to consult the specs for the profile(s)
>that you are implementing, or interop guides for the recipient software,
>or another list where people discuss these sorts of specification and
>conceptual issues. Once you know *what* you need to do, we can help you
>with questions about *how* to do that with OpenSAML.


I try to use X.509 Token Profile
1.1(http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-
x509TokenProfile.pdf
) of the ws 1.3 specification to authenticate client. My ADFS has a
corresponding end point which is
https://strts01.ams.dev/adfs/services/trust/13/certificate. Do you have a

test case similar to this to look at? At the moment, I am interested in
Reference to a Binary Security Token(Line 318 - 363 in the profile).

Brent Putman

unread,
Mar 29, 2012, 6:35:11 PM3/29/12
to d...@shibboleth.net

On 3/28/12 9:22 PM, Gina Choi wrote:
>
>
> I try to use X.509 Token Profile
> 1.1(http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-
> x509TokenProfile.pdf
> ) of the ws 1.3 specification to authenticate client.


That's fine, but that token profile is just specifying how to represent
the X.509 cert as a token in the Security header. It doesn't really say
anything about how the signature is being done, over what elements, etc,
which is what you really need to know.


> My ADFS has a
> corresponding end point which is
> https://strts01.ams.dev/adfs/services/trust/13/certificate. Do you have a
> test case similar to this to look at? At the moment, I am interested in
> Reference to a Binary Security Token(Line 318 - 363 in the profile).


No, don't have much in the way of WS-* code examples at all. Most of
our code there was contributed by others. Our team has never really
implemented much using the WS-* schemas.

What you really need to ask somewhere is: what does the ADFS STS expect
or support in the way of WS-Security and WS-Trust usage?

Reply all
Reply to author
Forward
0 new messages