Menu
It's doing my head in.... What am i missing here... must be something with the timestamp, because when i play with those i get different errors...
I've got the following envelope (which is how the provider gave it to me to use) But it keepis giving me
<s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body>
this is my code:
$c = $this->getTimestamp();
$e = $this->getTimestamp(300);
$envelope = '
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
<a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>'.$c.'</u:Created>
<u:Expires>'.$e.'</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46">
<o:Username>'.$username.'</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>'.$appliesTo.'</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
';
$soap_do = curl_init();
curl_setopt($soap_do, CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed");
curl_setopt($soap_do, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($soap_do, CURLOPT_HEADER, 0);
curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($soap_do, CURLOPT_TIMEOUT, 20);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($soap_do, CURLOPT_POST, true );
curl_setopt($soap_do, CURLOPT_POSTFIELDS, $envelope);
curl_setopt($soap_do, CURLOPT_HTTPHEADER, array('Content-Type: application/soap+xml; charset=utf-8'));
$this->payload = curl_exec($soap_do);
489
You are putting the current timestamp in both the Created element and the Expires element. That means that when the receiver receives the RST, the message will have expired and the receiver will be forced to reject it. Use e.g.:
gmdate("Y-m-d\TH:i:s\Z", time() + 300);
for the Expires element.
Also check for clock drift: the time on the client as well as the server should be synchronized.
Last but not least: by default ADFS 2.0 will try and encrypt the token in the response so it requires the configuration of an encryption certificate for the Relying Party. Make sure that you've configured one for the entity associated with appliesTo. The ADFS error logs should give you a hint about that error.
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
