I'm wondering if anyone has had success with WCF interop using issued tokens (SAML tokens).
I am trying to call an Axis2 service from a .NET client using ws-trust. It seems to be close, but it fails. The central problem seems to me to be around the fact that WCF likes to use the SAML token as the protection token, whereas all the Rampart examples and samples use X509 as the protection token, and puts the issued tokens into supporting tokens. I have a attached a copy of the WCF policy, taken from a federation binding endpoint. Any help would be appreciated to try to track this down. Thanks Greg Ennis [email protected]
<wsp:Policy wsu:Id="JanusPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <Address xmlns="http://www.w3.org/2005/08/addressing";>http://localhost/Janus/Sts/SecurityTokenService.svc/sts</Address> </Issuer> <sp:RequestSecurityTokenTemplate> <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType> <t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireDerivedKeys/> <sp:RequireInternalReference/> </wsp:Policy> </sp:IssuedToken> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:EncryptSignature/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> <msb:BinaryEncoding xmlns:msb="http://schemas.microsoft.com/ws/06/2004/mspolicy/netbinary1"/> <wsaw:UsingAddressing/> <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> <ramp:user>service</ramp:user> <ramp:encryptionUser>client</ramp:encryptionUser> <ramp:passwordCallbackClass>org.apache.rampart.samples.policy.sample05.PWCBHandler</ramp:passwordCallbackClass> <ramp:signatureCrypto> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property> </ramp:crypto> </ramp:signatureCrypto> </ramp:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
