WCF, Rampart, ADFS2 and SAML Interop issue
- by user317647
Hi,
I'm working on establishing interoperability between .NET WCF 3.5 and Axis2/Rampart using ADFS2 as the STS and using SAML authentication.
Initially I used Axis 1.4.1/Rampart 1.4 but in an attempt to rule out issues relating to WS-* standards compatbility have also created a duplicate environment running Axis 1.5.1/Rampart 1.5. Both envionment use Eclipse 3.5.1 (Galileo)/Tomcat 5.5 for the Java service side.
My objective is:
WCF-ADFS2-SAML token-Axis2/Rampart
Using Kerberos authentication to obtain a SAML token from ADFS2 and propagating this to Rampart.
Much progress has been made so far, but the error I'm now getting on Rampart is as follows (on both versions 1.4 & 1.5):
[ERROR] General security error (SAML token security failure)
org.apache.axis2.AxisFault: General security error (SAML token security failure)
Caused by: org.apache.ws.security.WSSecurityException: General security error (SAML token security failure)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(SAMLUtil.java:169)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(SAMLUtil.java:73)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:170)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:74)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:144)
After building source versions for Rampart (just 1.4 so far) I've traced this problem to the following source code:
SAMUtil.java
Element e = samlSubj.getKeyInfo();
X509Certificate[] certs = null;
try {
KeyInfo ki = new KeyInfo(e, null);
if (ki.containsX509Data()) {
X509Data data = ki.itemX509Data(0);
XMLX509Certificate certElem = null;
if (data != null && data.containsCertificate()) {
certElem = data.itemCertificate(0);
}
if (certElem != null) {
X509Certificate cert = certElem.getX509Certificate();
certs = new X509Certificate[1];
certs[0] = cert;
return new SAMLKeyInfo(assertion, certs);
}
}
The line ki.containsX509Data() above return false and fails.
The value from the Element e is as follows:
CN=Root Agency
-147027885241304943914470421251724308948
JMYzUkmrT13JoYj2pGN5o/vxpGq8bKFXI1m18iEFu+5rF0wA4MYURGIEWE9/zg1apgjElQHus5qb4ZRCzg7IHyENCGq7um2w1SXxPzstoMsZ7oZ83Uq08lDdNV51QGzCCOdCi+YizKT7AJ1B6gaplxMnFEJ8TlnzFBCavMxSCho=
The attempt to obtain the X509 data above is failing even when it appears in the message? (IssuerSerial).
All references I've seen so far indicate that the style of X509 reference is supported by Rampart and WSS4J (default?!).
This key reference is the certificate that ADFS2 has used to encrypt the message.
Any help at all would be greatly appreciated!
Thanks Jason