I am working on integrating the A2A channel for the IRS through their WSDL using WCF. I'm able to get passed any code related errors sending the request but currently receiving the following error back from the IRS:
<faultstring>The message was not formatted properly and/or cannot be interpreted. Please review the XML standards outlined in Section 3 of Publication 5258 (...), correct any issues, and try again.</faultstring>
<detail>
<errorcode>TPE1105</errorcode>
<uniqueTransmissionID/>
</detail>
I'm assuming based on the additional node of <uniqueTransmissionID/> in the response it has something to do with the UTID. I've looked over the format of the UTID and the Soap Envelope examples countless times and can't for the life of me figure out what may be out of place. I tried a small suggestion by fatherOfWine in a previous answer of moving the BusinessHeader up above the Manifest but it returns the same error.
I've added the full request with the Soap Envelope, whitespace appears to be stripped during the request but I've re-formatted it coming from Fiddler.
POST [AATS URL] HTTP/1.1
Content-Type: multipart/related; type="application/xop+xml";start="<rootpart>";start-info="text/xml";boundary="--023e657d-66f5-4e92-8e6e-c223338c205a"
SOAPAction: "BulkRequestTransmitter"
Host: la.www4.irs.gov
Content-Length: 15820
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
----023e657d-66f5-4e92-8e6e-c223338c205a
Content-Type: application/xop+xml; type="text/xml"; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-Id:<rootpart>
<soapenv:Envelope xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:us:gov:treasury:irs:ext:aca:air:ty18"
xmlns:urn1="urn:us:gov:treasury:irs:common"
xmlns:urn2="urn:us:gov:treasury:irs:msg:acabusinessheader"
xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader"
xmlns:urn4="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<Signature Id="SIG-E508633998DD41B6AE062D27D0AC9A48"
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#TS-BAC31544F1954B5F8C8441167B91A388">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse wsa oas1 soapenv urn urn1 urn2 urn3 urn4"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>[VALUE]</DigestValue>
</Reference>
<Reference URI="#id-870747663BAB4D6FB43FFAD2034013F1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa oas1 soapenv urn1 urn2 urn3 urn4"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>[VALUE]</DigestValue>
</Reference>
<Reference URI="#id-1A336736A6134B16831D45A0C8785D10">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa oas1 soapenv urn urn1 urn3 urn4"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>[VALUE]</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[VALUE]</SignatureValue>
<KeyInfo Id="KI-42CB9363E8BE47F2B3E0CD8A743C2D7C">
<wsse:SecurityTokenReference wsu:Id="STR-9EE1B09DD6794A64B00B496CC9DC3804">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">[KEY]</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsu:Timestamp wsu:Id="TS-BAC31544F1954B5F8C8441167B91A388">
<wsu:Created>2018-12-27T17:42:39.593Z</wsu:Created>
<wsu:Expires>2018-12-27T17:52:39.593Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<urn:ACATransmitterManifestReqDtl wsu:Id="id-DB1DDC6A020C433CB71FF38200026E55"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn:PaymentYr>2018</urn:PaymentYr>
<urn:PriorYearDataInd>0</urn:PriorYearDataInd>
<urn1:EIN>[EIN]</urn1:EIN>
<urn:TransmissionTypeCd>O</urn:TransmissionTypeCd>
<urn:TestFileCd>T</urn:TestFileCd>
<urn:TransmitterNameGrp>
<urn:BusinessNameLine1Txt>[Name]</urn:BusinessNameLine1Txt>
</urn:TransmitterNameGrp>
<urn:CompanyInformationGrp>
<urn:CompanyNm>[Name]</urn:CompanyNm>
<urn:MailingAddressGrp>
<urn:USAddressGrp>
<urn:AddressLine1Txt>[Address]</urn:AddressLine1Txt>
<urn1:CityNm>[City]</urn1:CityNm>
<urn:USStateCd>[ST]</urn:USStateCd>
<urn1:USZIPCd>[ZIP]</urn1:USZIPCd>
</urn:USAddressGrp>
</urn:MailingAddressGrp>
<urn:ContactNameGrp>
<urn:PersonFirstNm>[FirstName]</urn:PersonFirstNm>
<urn:PersonLastNm>[LastName]</urn:PersonLastNm>
</urn:ContactNameGrp>
<urn:ContactPhoneNum>[PhoneNumber]</urn:ContactPhoneNum>
</urn:CompanyInformationGrp>
<urn:VendorInformationGrp>
<urn:VendorCd>I</urn:VendorCd>
<urn:ContactNameGrp>
<urn:PersonFirstNm>[FirstName]</urn:PersonFirstNm>
<urn:PersonLastNm>[LastName]</urn:PersonLastNm>
</urn:ContactNameGrp>
<urn:ContactPhoneNum>[PhoneNumber]</urn:ContactPhoneNum>
</urn:VendorInformationGrp>
<urn:TotalPayeeRecordCnt>3</urn:TotalPayeeRecordCnt>
<urn:TotalPayerRecordCnt>1</urn:TotalPayerRecordCnt>
<urn:SoftwareId>[SoftwareID]</urn:SoftwareId>
<urn:FormTypeCd>1094/1095C</urn:FormTypeCd>
<urn1:BinaryFormatCd>application/xml</urn1:BinaryFormatCd>
<urn1:ChecksumAugmentationNum>[CheckSum]</urn1:ChecksumAugmentationNum>
<urn1:AttachmentByteSizeNum>[Bytes]</urn1:AttachmentByteSizeNum>
<urn:DocumentSystemFileNm>1094C_Request_[TCC]_20181226T161942345Z.xml</urn:DocumentSystemFileNm>
</urn:ACATransmitterManifestReqDtl>
<urn2:ACABusinessHeader wsu:Id="id-E71242CFDF04487D9ECA0AC2E1544E90"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn:UniqueTransmissionId>6de74234-d0fd-45b2-ad45-b408fd137201:SYS12:[TCC]::T</urn:UniqueTransmissionId>
<urn1:Timestamp>2018-12-26T16:19:42Z</urn1:Timestamp>
</urn2:ACABusinessHeader>
<urn3:ACASecurityHeader>
<urn2:UserId>1#######</urn2:UserId>
</urn3:ACASecurityHeader>
<wsa:Action>BulkRequestTransmitter</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<urn4:ACABulkRequestTransmitter version="1.0">
<urn1:BulkExchangeFile>
<inc:Include href="cid:1094C_Request_[TCC]_20181226T161942345Z.xml"
xmlns:inc="http://www.w3.org/2004/08/xop/include" />
</urn1:BulkExchangeFile>
</urn4:ACABulkRequestTransmitter>
</soapenv:Body>
</soapenv:Envelope>
----023e657d-66f5-4e92-8e6e-c223338c205a
Content-Type: application/xml
Content-Transfer-Encoding: 7bit
Content-Id: <1094C_Request_[TCC]_20181226T161942345Z.xml>
Content-Disposition: attachment; filename="1094C_Request_[TCC]_20181226T161942345Z.xml"
<?xml version="1.0" encoding="utf-8"?>
<n1:Form109495CTransmittalUpstream xmlns="urn:us:gov:treasury:irs:ext:aca:air:ty18"
xmlns:irs="urn:us:gov:treasury:irs:common"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xsi:schemaLocation="urn:us:gov:treasury:irs:msg:form1094-1095Ctransmitterupstreammessage IRS-Form1094-1095CTransmitterUpstreamMessage.xsd"
xmlns:n1="urn:us:gov:treasury:irs:msg:form1094-1095Ctransmitterupstreammessage">
[Removed for Space]
</n1:Form109495CTransmittalUpstream>
----023e657d-66f5-4e92-8e6e-c223338c205a--
Update: I added the Security Header and have gotten passed this specific problem, now working on resolving the WS-Security error. I've also updated my envelope with what has changed.
Just throwing this out in the wind (more of a comment but too long), but it looks like you are missing these to elements from their example:
<urn4:ACASecurityHeader xmlns:urn4="urn:us:gov:treasury:irs:msg:acasecurityheader" />
<oas:Security xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-secext-1.0.xsd" />
You are using this prefix for urn3, which is not referenced in any elements from what I can tell. Not sure if it makes any difference or not, but the above to elements do precede the section that is giving you an error. Feel free to disregard if it sounds like non-sense to you.
I'd like to add to this, one of the things that I learned through developing this process a couple of years ago: the request you send, whether for status or submission, needs to be identical to their example.
The method I used to accomplish this was to create separate XML template documents (one for Submission one for Status) which contains the entire XML needed for each request.
At a high-level, my application uses the WSDL objects by populating them with appropriate data, then I replace the XML elements in the template with values from the objects, sign the XML document, attach the form data (for submission), and send the request.
Reviewing what you posted and comparing it to what I have previously transmitted, I found a couple of differences:
In your envelope definition, you have an attribute xmlns:oasl, I do not have this.
In your InclusiveNamespaces element, I have PrefixList="wsse wsa soapenv urn urn1 urn2 urn3". I was told having this literal value was a must.
Your DigestMethod is sha256, while mine is sha1. I understand there is a difference between the two, but this could be causing you some problems?
I have a urn3:ACASecurityHeader element containing a urn1:UserId element, which I think you have already resolved (its just not updated in your original post)
Here is the envelope I am currently attempting to send which is resulting in a TPE1122 WS Security Header error being returned.
The following envelope XML is a working envelope for transmission for TY2018. Information has been redacted.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:us:gov:treasury:irs:ext:aca:air:ty18"
xmlns:urn1="urn:us:gov:treasury:irs:common"
xmlns:urn2="urn:us:gov:treasury:irs:msg:acabusinessheader"
xmlns:urn3="urn:us:gov:treasury:irs:msg:acasecurityheader"
xmlns:urn4="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<Signature Id="SIG-E9efb6eb0a76b4277a5cf8dc3930a868d" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#TS-E057d0d55370e45a8bc8a42f995a89aa3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse wsa soapenv urn urn1 urn2 urn3"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>[TIMESTAMP DIGEST VALUE]</DigestValue>
</Reference>
<Reference URI="#id-Ed6c3f891454e4eeaa73aeacaf21b6857">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa soapenv urn1 urn2 urn3"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>[ACA BUSINESS HEADER DIGEST VALUE]</DigestValue>
</Reference>
<Reference URI="#id-Eda32be00e9954326a8dbbd30a86a975e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa soapenv urn urn1 urn3"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>[ACA TRANSMITTER MANIFEST DIGEST VALUE]</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[SIGNATURE VALUE]</SignatureValue>
<KeyInfo Id="KI-E70e6fef54fa44300bf8f732831579e03">
<wsse:SecurityTokenReference wsu:Id="STR-Ee23913563c7843c7917a3c63f9830d6f">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">[CERTIFICATE KEY IDENTIFIER]</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsu:Timestamp wsu:Id="TS-E057d0d55370e45a8bc8a42f995a89aa3">
<wsu:Created>2019-01-07T16:32:54.353Z</wsu:Created>
<wsu:Expires>2019-01-07T16:42:54.353Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<urn:ACATransmitterManifestReqDtl wsu:Id="id-Eda32be00e9954326a8dbbd30a86a975e"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
[MANIFEST DATA]
</urn:ACATransmitterManifestReqDtl>
<urn2:ACABusinessHeader wsu:Id="id-Ed6c3f891454e4eeaa73aeacaf21b6857"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn:UniqueTransmissionId>e8d5fbcf-564d-4e31-8b48-ecc2fffe8fc0:SYS12:[TCC]::T</urn:UniqueTransmissionId>
<urn1:Timestamp>2019-01-07T08:32:54Z</urn1:Timestamp>
</urn2:ACABusinessHeader>
<urn3:ACASecurityHeader>
<urn1:UserId>[USER ID]</urn1:UserId>
</urn3:ACASecurityHeader>
<wsa:Action>BulkRequestTransmitterService</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<urn4:ACABulkRequestTransmitter version="1.0">
<urn1:BulkExchangeFile>
<xop:Include href="cid:1094C_Request_[TCC]_20190107T163254215Z.xml" xmlns:xop="http://www.w3.org/2004/08/xop/include" />
</urn1:BulkExchangeFile>
</urn4:ACABulkRequestTransmitter>
</soapenv:Body>
</soapenv:Envelope>
Related
I need to call an old IBM Websphere webservice, that requires transport and message security via a couple of certificates.
I have it all working in SoapUI, which sends a SOAP message that signs the body with RSA-SHA1. And we get the correct response back. Yay!
I can't get it work work in code, via a simple c# console app. (.NET Framework)
I'm not sure which type of SecurityBindingElement to use. The closest one to working seems to be provided by SecurityBindingElement.CreateMutualCertificateBindingElement().
My code reaches the webservice which responds with a SOAP fault:
ERRO00001 The Verification Type configuration 'asymmetric' does not allow algorithm 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'
I've tried all the DefaultAlgorithmSuites and none produce RSA-SHA1, and it may be because Microsoft no longer supports SHA1?
Can we provide an 'RSA-SHA1' algorithm to WCF?
Build the soap XML without WCF and use a SignedXML node for the body maybe?
Is there another way?
Working SOAP (Produced by SoapUI):
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:v1="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Service/V1.1" xmlns:v11="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Namespace/Common/Core/V1.1">
<soap:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-32C491BB4DA90C1EBD165647963666325">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-32C491BB4DA90C1EBD165647963666529" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsa soap v1 v11" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-32C491BB4DA90C1EBD165647963666328">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="v1 v11" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:SignatureValue>
<ds:KeyInfo Id="KI-32C491BB4DA90C1EBD165647963666326">
<wsse:SecurityTokenReference wsu:Id="STR-32C491BB4DA90C1EBD165647963666327">
<wsse:Reference URI="#X509-32C491BB4DA90C1EBD165647963666325" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:Action>http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsa:Action>
<wsa:From>
<wsa:Address>https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsa:Address>
</wsa:From>
<wsa:MessageID>uuid:84eacffc-0f1b-496a-bd0e-571a5d880aa7</wsa:MessageID>
<wsa:To>http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsa:To>
</soap:Header>
<soap:Body wsu:Id="id-32C491BB4DA90C1EBD165647963666328" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<v1:GetCheckResultRequest>
<v11:RequestID>624f95e5-6a96-483f-b0b8-a483c49d7bee</v11:RequestID>
</v1:GetCheckResultRequest>
</soap:Body>
</soap:Envelope>
My binding code:
private Binding GetCustomBinding2()
{
var secBE = SecurityBindingElement.CreateMutualCertificateBindingElement();
/*
var secBE = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
// ERRO00001: XPath expression /*[local-name()='Envelope']/*[local-name()='Body'] not covered by signature
var secBE = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
var secBE = SecurityBindingElement.CreateMutualCertificateBindingElement();
// ERRO00001 *The Verification Type configuration 'asymmetric' does not allow algorithm 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'*
The servive provider wants the signature signed with rsa-sha1
... but his algorithm suite doesn't exist in .NET anymore ??
var secBE = SecurityBindingElement.CreateCertificateSignatureBindingElement();
// Exception: contract only supports the OneWay operation
var secBE = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
// ERRO00001: The request could not be accepted because it failed to be authenticated
*/
TextMessageEncodingBindingElement textEncBE = new TextMessageEncodingBindingElement
{
MessageVersion = MessageVersion.Soap12WSAddressingAugust2004,
WriteEncoding = System.Text.Encoding.UTF8
};
HttpsTransportBindingElement httpsBE = new HttpsTransportBindingElement
{
RequireClientCertificate = true
};
var myBinding = new CustomBinding();
myBinding.Elements.Add(secBE);
myBinding.Elements.Add(textEncBE);
myBinding.Elements.Add(httpsBE);
return myBinding;
}
The SOAP produced by my code (which gets error response):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_4">http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</a:Action>
<a:From u:Id="_5">
<a:Address>https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</a:Address>
</a:From>
<a:MessageID u:Id="_6">urn:uuid:60b141dd-4b5c-4647-ba8d-1fa008f6e0de</a:MessageID>
<ActivityId CorrelationId="b6dcd628-083b-41f3-ae23-99297c462fe0" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">4fc61092-3f74-4eb6-96b7-ec9d5fc9ea15</ActivityId>
<a:ReplyTo u:Id="_7">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_8">https://nss-ws-train.acic.gov.au/nss-ws/CheckResultRetrieval</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-25cd3298-de48-48db-9817-e2917bdc6999-2">
<u:Created>2022-07-01T00:38:35.634Z</u:Created>
<u:Expires>2022-07-01T00:43:35.634Z</u:Expires>
</u:Timestamp>
<e:EncryptedKey Id="uuid-25cd3298-de48-48db-9817-e2917bdc6999-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<c:DerivedKeyToken u:Id="_0" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#uuid-25cd3298-de48-48db-9817-e2917bdc6999-1"></o:Reference>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>
<!-- Removed-->
</c:Nonce>
</c:DerivedKeyToken>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature Id="_1" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></SignatureMethod>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>vbETU40K2domiAcXqpzYTQ437EY=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>PyYM/+DKjoRYkl7vU1lKJPiRuw8=</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>R0gx/VuYg6cr+gLizmfhPDLsoVM=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>mLvPIB+nD1Pb4QgC8rlSiP+qNY4=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>AEOH0t2KYR8mivgqUGDrgMtxgEQ=</DigestValue>
</Reference>
<Reference URI="#_8">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>FWeslFLS8iZvexCL1qCDVK1vgCY=</DigestValue>
</Reference>
<Reference URI="#uuid-25cd3298-de48-48db-9817-e2917bdc6999-2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>zVaxtlzJdEfXOTATlPVnmWy+se4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>wfxV8qPS7PlV4iwNJdcJCbXm4EQ=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>NllOt3h9JKZjTLRAkNz2WDoSAr0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-46c8f1fb-7662-4518-a329-664b8a2fc292-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetCheckResultRequest xmlns="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
<RequestID xmlns="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">hello</RequestID>
</GetCheckResultRequest>
</s:Body>
</s:Envelope>
I am using service that returns the XML signature. now my task is to identify the signer name from response xml signature.
XML response signature format :
<?xml version="1.0" encoding="UTF-8"?>
<EsignResp errCode="NA" errMsg="NA" resCode="XXXXXXXXXXXXXXXXXXXXXXXX" status="1" ts="2019-05-02T15:15:13" txn="XXXXXXXXXXXXXXXXXXXXXXXX">
<UserX509Certificate>XXXXXXXXXXXXXXXXXXXXXXXX</UserX509Certificate>
<Signatures>
<DocSignature error="" id="1" sigHashAlgorithm="SHA256">XXXXXXXXXXXXXXXXXXXXXXXX</DocSignature>
</Signatures>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>XXXXXXXXXXXXXXXXXXXXXXXX</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XXXXXXXXXXXXXXXXXXXXXXXX</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>XXXXXXXXXXXXXXXXXXXXXXXX</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509SubjectName>XXXXXXXXXXXXXXXXXXXXXXXX</X509SubjectName>
<X509Certificate>XXXXXXXXXXXXXXXXXXXXXXXX</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</EsignResp>
In <UserX509Certificate> tag I get certificate details like Issued to,Issued By, Valid From.
Is there any way to get these information using itextsharp(C#).
You don't need itestsharp for handling and parsing certificates. It's all about pdf and not required for xml.
You may convert Base64 string in to X509Certificate2 type using below code.
byte[] bytes = Convert.FromBase64String("MII<...>==");
var cert = new X509Certificate2(bytes);
Then cert variable above will have properties like
cert.Issuer or cert.IssuerName
cert.Subject or cert.SubjectName
The content may be parsed by split(',').split('=') as per your requirement.
I'm trying to parse the xml file to get the Certificate info from ClickOnce Manifest.
What I need is the X509Certificate information.
Example file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">
<asmv1:assemblyIdentity name="someName.Xbap.exe" version="2.5.18.1" publicKeyToken="3i3cc7f44s0b9526" language="neutral" processorArchitecture="msil" type="win32" />
<application />
<entryPoint>
<assemblyIdentity name="someName.AFW.Xbap" version="2.5.18.1" language="neutral" processorArchitecture="msil" />
<commandLine file="someName.AFW.Xbap.exe" parameters="" />
<hostInBrowser xmlns="urn:schemas-microsoft-com:asm.v3" />
</entryPoint>
<publisherIdentity name="CN=HOSTNAME" issuerKeyHash="4534734c4984227c4fa0asdd4eb114524aaed397" />
<Signature Id="StrongNameSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>MVvHBmUFm2j7PwKjbzig0y7jdBo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>someRandomSignatureValue</SignatureValue>
<KeyInfo Id="StrongNameKeyInfo">
<KeyValue>
<RSAKeyValue>
<Modulus>someRandomModulusValue</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<msrel:RelData xmlns:msrel="http://schemas.microsoft.com/windows/rel/2005/reldata">
<r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:as="http://schemas.microsoft.com/windows/pki/2005/Authenticode">
<r:grant>
<as:ManifestInformation Hash="manifesthash" Description="" Url="">
<as:assemblyIdentity name="Somename.Xbap.exe" version="1.0.18.51" publicKeyToken="3b3bc7b44b4b8810" language="neutral" processorArchitecture="msil" type="win32" />
</as:ManifestInformation>
<as:SignedBy />
<as:AuthenticodePublisher>
<as:X509SubjectName>CN=HostName</as:X509SubjectName>
</as:AuthenticodePublisher>
</r:grant>
<r:issuer>
<Signature Id="AuthenticodeSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>asdasda+asdaasdasdad=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>someRandomSignatureValue==</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>someRandomSignatureValue</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>!!!this is the required certificate information!!!</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</r:issuer>
</r:license>
</msrel:RelData>
</KeyInfo>
</Signature>
</asmv1:assembly>
I try to parse it like:
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(filePath);
XmlNode securityNode = xmlDoc.SelectSingleNode("/Signature/KeyInfo/msrel:RelData/r:license/r:issuer/Signature/KeyInfo/X509Data/X509Certificate");
When I execute it, I get XPathException
I've also tried one namespace variant.
These are some steps you missed. First, you need to use XmlNamespaceManager to register prefix-to-namespaceUri mapping :
var nsMapping = new XmlNamespaceManager(xmlDoc.NameTable);
nsMapping.AddNamespace("msrel", "http://schemas.microsoft.com/windows/rel/2005/reldata");
nsMapping.AddNamespace("r", "urn:mpeg:mpeg21:2003:01-REL-R-NS");
Second, besides above 2 namespaces, you also need to register the default namespace (the namespace which declared without prefix) for use in the XPath :
nsMapping.AddNamespace("d", "http://www.w3.org/2000/09/xmldsig#");
Third, pass the namespace manager as second parameter of SelectSingleNode() in addition to using registered prefixes properly in the XPath :
var xpath = "//d:Signature/d:KeyInfo/msrel:RelData/r:license/r:issuer/d:Signature/d:KeyInfo/d:X509Data/d:X509Certificate";
XmlNode securityNode = xmlDoc.SelectSingleNode(xpath, nsMapping);
Missing above particularly step will trigger XPathException as you mentioned in the question. And btw, the following much simpler XPath should also works for this case:
var xpath = "//d:X509Certificate";
The document contains namespace different namespace definitions. When accessing nodes inside XML structures that use namespace, the namespace should be addressed too, else the name is incomplete and it looks so as if it does not exist.
One possible solution using LINQ2XML could look like this:
// load the xml document
var xml = XDocument.Load(#"d:\input.xml");
// find the signature node
var signature = xml.Root.Elements().FirstOrDefault(r => r.Value.Contains("Signature"));
if (signature != null)
{
// get the namespace of the signature node in order to search for the sub nodes
var ns = signature.GetDefaultNamespace();
// find the certificate node
var certificate = signature.Descendants(ns + "X509Certificate").FirstOrDefault();
if (certificate != null)
{
// take the value
Console.WriteLine(certificate.Value);
}
}
The output is:
!!!this is the required certificate information!!!
I am sending saml 2.0 logout request to ADFS and getting logout response with status code: "urn:oasis:names:tc:SAML:2.0:status:Requester".
I have checked Name ID value and it is equal to the name ID on Assertion.
I don't see any error on ADFS logs.
This is my Logout request:
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" Destination="https://IDP_adfs.xxx.com/adfs/ls/" ID="id007471cfceb449239be1a6a48d28ae89" IssueInstant="2015-01-05T15:30:56.3978094Z">
<saml:Issuer>https://SP.xxx.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id007471cfceb449239be1a6a48d28ae89">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>GsF...t/uwM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>qY5RIT/eT9Tgkg7dj...IPn/2STu7iepIQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC5jCCAc...qAdOYsuKUgO9WNers=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:NameID Format="http://schemas.xmlsoap.org/claims/UPN">user#xxx.com</saml:NameID>
<samlp:SessionIndex>_48b8991b-d3c4-4f8a-9c8b-a86e0a718c95</samlp:SessionIndex>
</samlp:LogoutRequest>
This is my Logout Response:
<?xml version="1.0"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_79573c99-c8d3-4ea3-8b53-e15551128318" Version="2.0" IssueInstant="2015-01-05T15:31:02.954Z" Destination="https://SP.xxx.com/Account/logout/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id007471cfceb449239be1a6a48d28ae89">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_79573c99-c8d3-4ea3-8b53-e15551128318">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>B/badvPpTrEuKZsqOvBQM54CIJ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cWIEl5wY3...lIiQDltacRcjxyw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2jCCAcKgAwIBA...LmlI6oFWC3Lw=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
</samlp:Status>
</samlp:LogoutResponse>
This is my saml response with the assertion:
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8b594b16-6505-4da6-9f4c-0d0d301bedb1" Version="2.0" IssueInstant="2015-01-05T14:25:40.241Z" Destination="https://SP.xxx.com/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d6df6a72-99de-4935-8153-0db0d6f4b3f6" IssueInstant="2015-01-05T14:25:40.241Z" Version="2.0">
<Issuer>http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LUFxx...MY8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>svLLi2ooLayZCvYCrZlDnLJAt2K7SzUcNSPS7m1Qlb1UUXZWoznd5gqusXRRrGazx6AVdnpcLgI6LVZ7xirOUBGpFxNZO7q/0zkyvzY7/lwhO4RTqtTHL2QlJTwapalWXZ9FCw0kTbmLgwgZaaqRUee5hE1kpDrIpusJXU9L9Abc/UBLZhAcstTaXDVUvCF/FH2dz2Kv9P07pV5Kcy0RvQWeJ5IkDZHefDYNsm+9Y+2V3kuPC4Ry54/7cxWc2DvDcYaKxht88/J2MA2kOqzF60Ty2Ka1hy1GpCviVO8X+SfWtgOpGcjj0NxJGSwqIcgF5PGXYfgR5sLF66xaY1t+9w==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2jCCAcKgA...lI6oFWC3Lw=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="http://schemas.xmlsoap.org/claims/UPN">user#xxx.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52" NotOnOrAfter="2015-01-05T14:30:40.241Z" Recipient="https://SP.xxx.com/"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-01-05T14:25:40.241Z" NotOnOrAfter="2015-01-05T15:25:40.241Z">
<AudienceRestriction>
<Audience>https://SP.xxx.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>user#xxx.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>user#xxx.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>User User</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-01-05T14:25:40.225Z" SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
I am using HTTP-POST binding to send the logout request and get the logout response.
There is a problem with my logout request according to "urn:oasis:names:tc:SAML:2.0:status:Requester" status code, but unfortunately i don't find it.
urn:oasis:names:tc:SAML:2.0:status:Requester means that ADFS didn't "like" the request and blames the source of the request. As Hans Z points out there should be something in the ADFS log and trace files. If there are no messages then do check your ADFS patch and hotfix levels.
Now the problem in the above message. For signout there must be two correct identifications: NameID and SessionIndex. Although you seem to have edited the XML, which makes anything I write speculative.... The problem could be the SessionIndex.
In the assertion: AuthnStatement#SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6" In the LogoutRequest-SessionIndex has value _48b8991b-d3c4-4f8a-9c8b-a86e0a718c95
I have not looked at other possible errors, because you seem to have edited the XML. The validating parser would refuse it for that reason and thus miss other possible problems.
EDIT:
I think the only bit left to understand is the signing of the message using the username token profile. Any pointers/clues/info on how to implement that would be great. I have played with the Visual Studio .Net 2003 with WSE 2 and the username token profile sample does this be default- so my fallback is to use that, but prefer to run on Linux, as that is the server we have. Plus no Mono port of WSE. I get the impression that this is not used much/its deprecated...
I have to talk to a Web Service and have been given the sample below. I am trying to translate this into English... or at least understand which bits of the WS security specs I need to be looking at to communicate to it.
I am using Ruby/Savon for other WS calls, but it seems to only support basic WSSE, username/passwords.
I can see this message has a Signature - but is it signed via an external file/certificate/code or do I have enough details below to do the same signing within my own code.
I dont see any X509 or Cipher entries which seems to imply its not done with such a certificate (in my naive understanding of this), so what is being used to produce the Signature- perhaps just a simple hash of the message?
It also seems to use some sort of digest/message checking as when I try tweaking the sample and resending it, its bounced as invalid - although I guess this might be related to the signature issue...
I dont think Savon supports this and so I am thinking I need to switch to JRuby and use a Java WS library, perhaps Rampart with Axis2 or maybe Spring security bits. Any tips/reccomendation/good tutorials? I see this from IBM, but thinking I need something higher level so I can grasp the "big picture"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-6762c167-412b-4bf8-8839-518e9bc25da5">
http://host/path/func</wsa:Action>
<wsa:MessageID wsu:Id="Id-00bb0af8-232d-43a8-adbb-39f230599c56">
uuid:2005639d-39b8-4df6-bf41-e18741c45291</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-c53a1dbe-244f-46a9-b656-883f4b06dcfe">
<wsa:Address>
http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-017877f6-e5a3-43ae-aa2b-4886adb7060c">
http://host/path/func.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-1a38d0f9-077f-4e95-991b-fa899a171920">
<wsu:Created>2011-03-14T15:00:09Z</wsu:Created>
<wsu:Expires>2011-03-14T15:05:09Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-42ae32d2-f6ff-431e-9369-7696b44965e3">
<wsse:Username>crypteduser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
cryptedpass</wsse:Password>
<wsse:Nonce>fLSoqLm9kuOumxy39JRHaw==</wsse:Nonce>
<wsu:Created>2011-03-14T15:00:09Z</wsu:Created>
</wsse:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<Reference URI="#Id-6762c167-412b-4bf8-8839-518e9bc25da5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>SAYl5o1kh33HteOe0L7G6KIKqWg=</DigestValue>
</Reference>
<Reference URI="#Id-00bb0af8-232d-43a8-adbb-39f230599c56">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>//LMuFkNC1FO1/9A9W7l6o75Y2M=</DigestValue>
</Reference>
<Reference URI="#Id-c53a1dbe-244f-46a9-b656-883f4b06dcfe">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>9pgN7bU48UKi1UTnpOCikOnp2G0=</DigestValue>
</Reference>
<Reference URI="#Id-017877f6-e5a3-43ae-aa2b-4886adb7060c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>lWZNjtSHfVtiZeOFZAosV868Uos=</DigestValue>
</Reference>
<Reference URI="#Timestamp-1a38d0f9-077f-4e95-991b-fa899a171920">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>H3nYPY6kfIWEIWQhpwaz8VKeQIM=</DigestValue>
</Reference>
<Reference URI="#Id-f95dfea2-3af8-4e95-8e60-141858db9532">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>uRTu+Hzxw+zdaTYgW0z+j35diIQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Hdn2wxWhmr450pefMuc41o6GgOA=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-42ae32d2-f6ff-431e-9369-7696b44965e3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-f95dfea2-3af8-4e95-8e60-141858db9532">
<func xmlns="http://host/path/">
<xml_in>yucky xml inside xml...</xml_in>
</func>
</soap:Body>
</soap:Envelope>
Many thanks in advance for any tips/pointers you can give.
Regards,
Chris
EDIT
Seems similar to this question... which does use an X509 cert, so perhaps it is needed.
Currently reading the wikipedia entry for this.
EDIT2
Seems like its this - hopefully the username based option... http://msdn.microsoft.com/en-us/library/ms824647.aspx
EDIT3
I think I have most of it sorted now - the main thing outstanding is the username digest'ing. How do I do it - where does the signature value come from...
EDIT4
Thinking my best bet is to write a client in .Net and either that will give me enough clues to do it directly in Ruby, or I can wrap it in a simpler version - at least for the short term...
This isn't really a full answer, but just a few things I've noticed.
The wsse:SecurityTokenReference refers to this document (in the cryptic sort of soap way): http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
I would read through: 3.2 Token Reference
Also, the parent section mentions this formula:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
Maybe try something like this for the signature?
Password_Digest = Base64 ( SHA-1 ( nonce + created + UsernameToken ) )