Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create a .NET client for a wso2 Secure Token Service

I need to create a .NET client for a wso2 Secure Token Service.

Normally I would create a simple console or WinForm project adding a Service Reference to it. The exposed WSDL would be turned in a set of classes that I can use to query the service and to properly manage its response.

Unfortunately, the generated request and response classes are empty: just the class declaration without any property or method. This is similar to the behaviour described in this other (unanswered) Stack Overflow question https://stackoverflow.com/q/22049080/2131913

I have found a sample request for the service in this forum post: http://cxf.547215.n5.nabble.com/Sample-STS-Client-tp4643980p4664175.html and I made it to work with SOAP UI.

Is there a proper, and possibly automated, way to recreate the complex data structure needed to query the Secure Token Service?

EDIT

OK, after many tries I have reduced the SOAP request from the above forum post to the minimal structure needed to still get a RequestSecurityTokenResponse from the STS service.

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-6D35592DCDDA26FFF3141578725699577">
        <wsse:Username>USERNAME HERE</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD HERE</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp wsu:Id="TS-6D35592DCDDA26FFF3141578725699576">
        <wsu:Created>2014-11-12T10:14:16.995Z</wsu:Created>
        <wsu:Expires>2014-11-12T10:16:16.995Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
    <wsa:Action soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</wsa:Action>
    <wsa:MessageID soap:mustUnderstand="1">uuid:6d4eab69-77f9-42b7-8d6b-1f710020fb0b</wsa:MessageID>
    <wsa:To soap:mustUnderstand="1">STS ENDPOINT ADDRESS HERE</wsa:To>
  </soap:Header>
  <soap:Body>
    <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
      <wst:Claims>
        <wsid:ClaimType Uri="http://wso2.org/claims/userid" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
      </wst:Claims>
    </wst:RequestSecurityToken>
  </soap:Body>
</soap:Envelope>

I have obtained a partial success defining in the app.config of my project either a single wsHttpBinding like the following:

  <wsHttpBinding>
    <binding name="SendUsername"  messageEncoding="Text">
      <security mode ="TransportWithMessageCredential">
        <message clientCredentialType ="UserName"/>
        <transport clientCredentialType ="Basic" />
      </security>
    </binding>
  </wsHttpBinding>

with or without adding a CustomBinding like the following:

<customBinding>
     <binding name="wso2carbon-stsSoap12Binding">
      <security defaultAlgorithmSuite="Default" authenticationMode="IssuedToken"
        requireDerivedKeys="true" securityHeaderLayout="Lax" includeTimestamp="true">
        <localClientSettings detectReplays="false" />
        <localServiceSettings detectReplays="false" />
        <issuedTokenParameters keyType ="SymmetricKey" tokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
          <issuer address =STS ENDPOINT ADDRESS HERE binding ="wsHttpBinding" bindingConfiguration ="SendUsername"/>
          <claimTypeRequirements>
            <add claimType ="http://wso2.org/claims/userid"/>
          </claimTypeRequirements>
        </issuedTokenParameters>
      </security>
      <textMessageEncoding messageVersion="Soap12" />
      <httpsTransport />
    </binding>
  </customBinding>

In both cases however the request throws a timeout exception, and inspecting with WCF tracing the issued request I can see that it is missing the Claims element. Any hints?

like image 816
sblandin Avatar asked Nov 10 '14 09:11

sblandin


People also ask

What is WSO2 SSO?

It is an experience where users only need to sign in once to an application to be simultaneously authenticated to other connected applications until the session is over. With WSO2 Identity Server, you can set up SSO easily with minimum code changes, improving efficiency and the user experience. Try WSO2 Identity Server.

Is WSO2 Identity Server free?

Critical enterprise projects need enterprise-grade support. WSO2 supported distributions are licensed under the WSO2 Software License. This license allows you to use the product free for non-commercial use.

What is identity provider in WSO2?

An Identity Provider (IdP) is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Trust. This is a favourable alternative to explicitly authenticating a user within a security realm.


1 Answers

Please refer this article

Security Token Service with WSO2 Identity Server 2.0

For more insight on this please refer:

http://wso2.com/library/3190/

Configuring WSO2 Identity Server Passive STS with an ASP.NET Client

like image 159
tk_ Avatar answered Sep 28 '22 08:09

tk_