Re: Third interop test between Metro and .NET

[Jiandong Guo]

Pablo Cibraro wrote:
Thanks Jiandong!!. The latest metro build solved the WS-Trust namespace issue. 
Now I am getting a signature validation error when .NET tries to validate the 
SAML token signature (The token included in the ActAs element). What I noticed 
is that Metro is sending some line break characters in the SignatureValue and 
X500Certificate elements (see below). Do you think that could be an issue ?. 
(WCF is not adding line breaks)
  
It should be fine. It allowed to add line break in every 76 characters 
in Base 64. We also have the line breaks for the Metro ActiveSTS issued 
Assertions.
It works with .Net service as you have tested.
Thanks!

Jiandong
<wst14:ActAs xmlns:wst14="http://docs.oasis-open.org/ws-sx/ws-trust/200802";>
                  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
AssertionID="scd54f637d0b74ed3f4b9dfe30446f4a93454cbd501" IssueInstant="2009-11-02T19:55:47Z" Issuer="Fedidp" 
MajorVersion="1" MinorVersion="1">
                    <saml:Conditions NotBefore="2009-11-02T19:45:47Z" 
NotOnOrAfter="2009-11-02T20:05:47Z">
                      <saml:AudienceRestrictionCondition>
                        <saml:Audience>Fedsp</saml:Audience>
                      </saml:AudienceRestrictionCondition>
                    </saml:Conditions>
                    <saml:AuthenticationStatement 
AuthenticationInstant="2009-11-02T19:55:47Z" 
AuthenticationMethod="urn:com:sun:identity:DataStore">
                      <saml:Subject>
                        <saml:NameIdentifier 
Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier>
                      </saml:Subject>
                    </saml:AuthenticationStatement>
                    <ns9:Signature 
xmlns:ns9="http://www.w3.org/2000/09/xmldsig#";>
                      <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
                        <CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod>
                        <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod>
                        <Reference 
URI="#scd54f637d0b74ed3f4b9dfe30446f4a93454cbd501">
                          <Transforms>
                            <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
                            <Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
                          </Transforms>
                          <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
                          
<DigestValue>Gxbyd0OyoKbGbFEyV6fQaFKTi3M=</DigestValue>
                        </Reference>
                      </SignedInfo>
                      <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#";>  
EZYvSXFKntInKY4SS9ND6IdRozlNlxEZ3HFTr3pV8IYLg1NX+YoPufIx7etQW3dkf54pjaTLHNCy  
eXIJoftvwJIijpQK48Uypn5BEnmbQDnmlxdpS56R+5CAIz1vAJYuZ0jvsKVd1IKd3z6GmdjZ3LcK  nXsbq4OzXWKICpkL9+M=  
</SignatureValue>
                      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
                        <X509Data>
                          <X509Certificate>  
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh  
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w  
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw  
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK  
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B  
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+  
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY  
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U  
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA  
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC  
/FfwWigmrW0Y0Q==  </X509Certificate>
                        </X509Data>
                      </KeyInfo>
                    </ns9:Signature>
                    
                  </saml:Assertion>
                </wst14:ActAs>

Thanks
Pablo.

-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com] 
Sent: Monday, November 02, 2009 4:04 PM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Third interop test between Metro and .NET

Pablo,

See inline ...

Pablo Cibraro wrote:
  
I finally could make some progress in the interop tests with the Active STS. I 
used the following configuration,


1.       Trader client application (Metro)

2.       Passive STS (Metro)

3.       Active STS (.NET)

4.       Business Service (Metro)

Unfortunately, I found a blocking issue that I think it is hard to fix (at 
least in WCF). The namespace used by metro for the ActAs element is different 
from the namespace used by WCF.

Metro,

<wst:ActAs xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>

.NET (WCF)

<tr:ActAs xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802";>
  
    
There was some ambiguity for the namespace to be used with ActAs. The 
WS-Trust 1.4 spec and schema specified differently.
This issue has been clarified recently in the ws-sx TC. So that we have 
updated Metro to use "http://docs.oasis-open.org/ws-sx/ws-trust/200802";.

Can you try with latest Metro nightly?
 
https://metro.dev.java.net/servlets/ProjectDocumentList?expandFolder=7638&folderID=10314

It is more close to the one to be released.

I will get back to the other issues below shortly.


Thanks!

Jiandong



  
Besides that issue with the WS-Trust message, these are my findings for this 
scenario,


1.       The active STS in metro is using an username token for authenticating 
the client application (trader web client). .NET is using a client certificate 
for that purpose (BSL.Com), and I think it is the correct mechanism. I 
basically changed the .NET Active STS and trader client implementation to use 
username tokens.

2.       The wsit-client.xml for the trader client application in metro looks 
as follow,

               <tc:PreconfiguredSTS 
xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client";
                                     
endpoint=http://localhost:9001/tradeactivests (.NET)
                                     
wsdlLocation=http://apps.stonehenge.com:1316/active_sts/ActiveSTS?wsdl (WSDL in 
METRO)
                                     serviceName="SecurityTokenService"
                                     portName="ISecurityTokenService_Port"
                                     namespace="http://tempuri.org/"; 
shareToken="true">
                </tc:PreconfiguredSTS>

                I could not make it work against the .NET Active STS Wsdl. For 
some reasons, all the requests with that WSDL are not protected with 
WS-Security. I updated all the bindings and ports in the .NET to use 
ISecurityTokenService and http://tempuri.org as namespace, but that does not 
work.


3.       Metro was using derived keys and basic 128 as algorithm suite. WCF was 
throwing a weird parsing error exceptions for the derived keys (this option was 
enabled in the WCF bindings too), so I disable that feature in metro and .NET.

"Cannot read the token from the 'DerivedKeyToken' element with the 
'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512' namespace for 
BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, 
ensure that security is configured to consume tokens with the name, namespace and value 
type specified."

Regards,
Pablo.