In a WCF Client How Can I add SAML 2.0 assertion to SOAP Header?

[亡魂溺海] 提交于 2019-12-21 21:24:08

问题


I'm trying to add the saml 2.0 assertion node from the soap header example below - I came across the samlassertion type in the .net framework but that looks like it is only for saml 1.1.

<S:Header>
    <To xmlns="http://www.w3.org/2005/08/addressing">https://rs1.greenwaymedical.com:8181/CONNECTGateway/EntityService/NhincProxyXDRRequestSecured</To>
    <Action xmlns="http://www.w3.org/2005/08/addressing">tns:ProvideAndRegisterDocumentSet-bRequest_Request</Action>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
        <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:662ee047-3437-4781-a8d2-ee91bc940ef0</MessageID>
    <wsse:Security S:mustUnderstand="1">
        <wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
                       xmlns:ns16="http://www.w3.org/2003/05/soap-envelope"
                       wsu:Id="_1">
            <wsu:Created>2010-05-26T03:51:57Z</wsu:Created>
            <wsu:Expires>2010-05-26T03:56:57Z</wsu:Expires>
        </wsu:Timestamp>
        <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                         xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
                         xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                         xmlns:xs="http://www.w3.org/2001/XMLSchema"
                         ID="bd1ecf8d-a6d8-488d-9183-a11227c6a219"
                         IssueInstant="2010-05-26T03:51:57.959Z"
                         Version="2.0">
            <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
            <saml2:Subject>
                <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb</saml2:NameID>
                <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                    <saml2:SubjectConfirmationData>
                        <ds:KeyInfo>
                            <ds:KeyValue>
                                <ds:RSAKeyValue>
                                    <ds:Modulus>p4jUkEUg..gwO7U=</ds:Modulus>
                                    <ds:Exponent>AQAB</ds:Exponent>
                                </ds:RSAKeyValue>
                            </ds:KeyValue>
                        </ds:KeyInfo>
                    </saml2:SubjectConfirmationData>
                </saml2:SubjectConfirmation>
            </saml2:Subject>
            <saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z"
                                  SessionIndex="987">
                <saml2:SubjectLocality Address="158.147.185.168"
                                       DNSName="cs.myharris.net"/>
                <saml2:AuthnContext>
                    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
                </saml2:AuthnContext>
            </saml2:AuthnStatement>
            <saml2:AttributeStatement>
                <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
                    <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                          xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                          ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
                    <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                          xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                          ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
                    <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                          xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                          ns6:type="ns7:string">2.2</saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
                    <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                          xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                          ns6:type="ns7:string">2.16.840.1.113883.3.441</saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
                    <saml2:AttributeValue>
                        <hl7:Role xmlns:hl7="urn:hl7-org:v3"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  code="307969004"
                                  codeSystem="2.16.840.1.113883.6.96"
                                  codeSystemName="SNOMED_CT"
                                  displayName="Public Health"
                                  xsi:type="hl7:CE"/>
                    </saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
                    <saml2:AttributeValue>
                        <hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3"
                                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           code="PUBLICHEALTH"
                                           codeSystem="2.16.840.1.113883.3.18.7.1"
                                           codeSystemName="nhin-purpose"
                                           displayName="Use or disclosure of Psychotherapy Notes"
                                           xsi:type="hl7:CE"/>
                    </saml2:AttributeValue>
                </saml2:Attribute>
                <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
                    <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                          xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                          ns6:type="ns7:string">500000000^^^&amp;1.1&amp;ISO</saml2:AttributeValue>
                </saml2:Attribute>
            </saml2:AttributeStatement>
            <saml2:AuthzDecisionStatement Decision="Permit"
                                          Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
                <saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
                <saml2:Evidence>
                    <saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9"
                                     IssueInstant="2009-04-16T13:10:39.093Z"
                                     Version="2.0">
                        <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
                        <saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z"
                                          NotOnOrAfter="2009-12-31T12:00:00.000Z"/>
                        <saml2:AttributeStatement>
                            <saml2:Attribute Name="AccessConsentPolicy"
                                             NameFormat="http://www.hhs.gov/healthit/nhin">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                                      xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                                      ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
                            </saml2:Attribute>
                            <saml2:Attribute Name="InstanceAccessConsentPolicy"
                                             NameFormat="http://www.hhs.gov/healthit/nhin">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance"
                                                      xmlns:ns7="http://www.w3.org/2001/XMLSchema"
                                                      ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
                            </saml2:Attribute>
                        </saml2:AttributeStatement>
                    </saml2:Assertion>
                </saml2:Evidence>
            </saml2:AuthzDecisionStatement>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#bd1ecf8d-a6d8-488d-9183-a11227c6a219">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>ONbZqPUyFVPMx4v9vvpJGNB4cao=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>Dm/aW5bB..pF93s=</ds:SignatureValue>
                <ds:KeyInfo>
                    <ds:KeyValue>
                        <ds:RSAKeyValue>
                            <ds:Modulus>p4jUkEU..bzqgwO7U=</ds:Modulus>
                            <ds:Exponent>AQAB</ds:Exponent>
                        </ds:RSAKeyValue>
                    </ds:KeyValue>
                </ds:KeyInfo>
            </ds:Signature>
        </saml2:Assertion>
        <ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
                      xmlns:ns16="http://www.w3.org/2003/05/soap-envelope"
                      Id="_2">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <exc14n:InclusiveNamespaces PrefixList="wsse S"/>
                </ds:CanonicalizationMethod>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#_1">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>
                        <Include xmlns="http://www.w3.org/2004/08/xop/include"
                                 href="cid:67585ea9-1bec-46d3-a49f-95c8d0334ead@example.jaxws.sun.com"/>
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
                <Include xmlns="http://www.w3.org/2004/08/xop/include"
                         href="cid:cc7fbcca-b325-4265-a10e-76982b2c7bf7@example.jaxws.sun.com"/>
            </ds:SignatureValue>
            <ds:KeyInfo>
                <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
                    <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">bd1ecf8d-a6d8-488d-9183-a11227c6a219</wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
    </wsse:Security>
</S:Header>

I've been researching for days and cannot seem to come up with a straightforward way of doing this in WCF. The web service is running on Glassfish and is soap 1.1, I've tried using all the packaged wcf bindings but have not been able to get them to work. I started down the path of using a MessageInspector, and wrote one but then realized there must be a better way, surely WCF provides some way to insert saml 2.0 assertions. I've made the most progress writing a custom binding - i've been able to get the timestamp and signature nodes in the soap header, but cannot for the life of me figure out the saml assertion. Any ideas?

public static System.ServiceModel.Channels.Binding BuildCONNECTCustomBinding()
{
    TransportSecurityBindingElement transportSecurityBindingElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
    TextMessageEncodingBindingElement textMessageEncodingBindingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, System.Text.Encoding.UTF8);
    HttpsTransportBindingElement httpsTransportBindingElement = new HttpsTransportBindingElement();
    SecurityTokenReferenceType securityTokenReference = new SecurityTokenReferenceType();

    BindingElementCollection bindingElementCollection = new BindingElementCollection();
    bindingElementCollection.Add(transportSecurityBindingElement);
    bindingElementCollection.Add(textMessageEncodingBindingElement);
    bindingElementCollection.Add(httpsTransportBindingElement); 

    CustomBinding cb = new CustomBinding(bindingElementCollection);
    cb.CreateBindingElements();

    return cb;
}

回答1:


Although I'm not at the full solution yet I believe I have found the right path to take. I need to create a custom security token by following this Microsoft documentation. I'm starting a list of links below that I have found helpful in hopes they provide guidance to others facing the same challenge.

Reference Links:

  • .NET SAML 2.0 implementation.
  • How to use SAML 2.0 Assertions with WS2007HttpBinding (i.e. without relying on a Security Token Service to provide tokens)?
  • WCF Authentication with custom ClientCredentials: What is the clientCredentialType to use?
  • Need advise on how to sign request's soap body using WCF


    回答2:


    Check WIF (Windows identity foundation). It supports SAML 2.0 tokens and it should be able to integrate with WCF.



    来源:https://stackoverflow.com/questions/3003330/in-a-wcf-client-how-can-i-add-saml-2-0-assertion-to-soap-header

  • 易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
    该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!