Develop Reference

What is the replacement of Microsoft.Web.Services3 in .NET Core that can authenticate with both Username and Signature?

We're currently porting a SOAP client to .NET Core but we're having issues on authentication. Based on our findings, it all boils down to adding both a UsernameToken and Signature to the SOAP Header. In .NET Framework, we authenticate like so:
WebServicesClientProtocol client;
X509SecurityToken token;
client.RequestSoapContext.Security.Tokens.Add(new UsernameToken("myusername", "mypassword", PasswordOption.SendPlainText);
client.RequestSoapContext.Security.Tokens.Add(token);
client.RequestSoapContext.Security.Elements.Add(new MessageSignature(token));
We added a WCF Connected Service to our .NET Core project and tried different configurations of the client. The closest we got are something like these:
// this adds UsernameToken only
var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
var client = new MyClient(binding, new EndpointAddress("https://myservice.com/foo");
client.ClientCredentials.UserName.UserName = "myusername";
client.ClientCredentials.UserName.Password = "mypassword";
---
// this adds Signature only
var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
var client = new MyClient(binding, new EndpointAddress("https://myservice.com/foo"));
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "mycert");
Unfortunately, combining the two does not add both UsernameToken and Signature. We've tried many other variations of the configuration but was not successful.
Our working SOAP request looks something like this:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-867b67fc-b2c7-4ca3-bcbb-fdf74ae04baf">http://myservice.com/foo/services/my_request</wsa:Action>
<wsa:MessageID wsu:Id="Id-e8c0e394-e80f-453b-b5d6-10369c186b02">urn:uuid:1aad204d-a5f4-4b33-986c-56011dc27ade</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-790537dd-870a-45e0-9873-427684db6ea1">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-791bacd6-af9b-4c45-ad13-e7297a8c8ea2">https://myservice.com/foo/services/abcServices</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-6a6fb289-7878-413c-b88d-42f0522faa31">
<wsu:Created>2020-09-29T22:56:15Z</wsu:Created>
<wsu:Expires>2020-09-29T22:57:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2cca8c34-352c-4301-8bb5-da46a8c70746">
<wsse:Username>myusername</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">mypassword</wsse:Password>
<wsse:Nonce>ikb=nqrsp+OH=jEMDl+a1fgC</wsse:Nonce>
<wsu:Created>2020-09-29T22:56:15Z</wsu:Created>
</wsse:UsernameToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-7068c9fb-9793-451e-b462-aedf192c57aa">DciPWRsnJhRAOZCeZAwGCV9OzzucIYwvgAVbX46MIQAZNGSgQBcNcEMDDylCc90RdwAV/9XwDB30mJgiV5M8o6ImCggQogABgp0XNTBJnrugnYIGIAj+QUZ0zZivg9Uu/0BxKScQqcGbK43AwEAgwjNPGQ+AXwBAQVMsgFA80OIsQ1IwIwzxGApSzX2A5gY0cVx9rjnMrv+9ctmoqELA91fAgVBcVkATBUTnwQZExrHfxzAwYxAL5jBrngrgK9A2YYDBFDCVrDajRrCdcHM5RQhIwPbBBWMQZTQCAtwuDBsOCkYJKwSbUjvx3Ypg7nTsskyJeP3DPYVtOxpUkEIRYwuisEwANlGMBzmWEbNxMRUQGL2R1/BPFCzXbC/RMMQAVAVlAFB4MwaXYwdopUdMSAzT4F00YswQLf6MMxWDWqlCFwQ98GdHE1K0MnS1weWa+FQ0DVXQVK/JwUukgHvfvplVBPScuWjQAEMMiTSEa94Y5ES5dNdafc5cKIbzbkJCGCsVxxAQl8guEdJQH0cWKC9gROZYqYYFVGjBPkmLi9QgaEpPdBToRtDgTacqty1XyBdhDY3ntJYyxMaAHDeI0KIdKvDBIMCsX2xA8bQ2O8pCdFwQ37GUy1bMfTul7+JQfyyFZknHuVxuiWvNUsoGo0sQn2H3NODdLjMpLgVp3P3MmNc9AuSBzQw3WAGzNR7FnB1fU4VaLzciAAHFiA1LMwbMoIH2FcB907QjFNy08c8BBDoSgdUIp+BxGKyHATeqmHHI7iRsX0BuNv1VuSfnrjAANIWoQNA97DAKnSId5IEG39SaSesXunHQUsCrAMvA9yjcSLjXAxUT7DD2iQgINBLuMmqCz1Y9zUQggC7/I5NUDXO94jAxUg1gVgZZHcbA53SMsA57VwCAUI6AslwA7pGHq2YwbwBTg0Mb+cnEZjA9SuGVeuDnHmVZxgUjWds5snOH+enkMA+BhTzNR7HGNM1AElK0BkfCrgwyqAq22kdc7DnUYGEISIaDm0NYIA1QwBf+J7dwXaBHLmcG7ANAClBXfAQQXAN0g2/zGgFYNKhcgK2HoggNlByd2T0md0Rje00BG9QZlY5DXFNEArT+BPw1TqHYGHEgJhupWG7tsDg/DjANqUVyVEWp4xVjOh9YDIuq8U0TqmD4HVNbbIi2rMTVhZACYoscERM5guBoW4b2u2CCArlFVw1MOELOETnJQKQGNWNaWNVVDjYTsCqMkbqwRU59ijlZIUzhKDFgk098vCDCIwUMhEdA0VYLJvhuNc0QRp9Lakposm9LTKPZAz7yiSF5gwGsjqMACBDwOQMSBEQAaMGN3HNYMFABJQDl1UAbCBZa5gbWwLNdHZhzaawoARcul0Cn6QPQT7BGZGdUcYAlFVMl6k1n3dB70JzcWMapJpZFlI6Bn3IB/RhGDMIQ3D3E/n9wbQZKMDEAbR3VB8WMGZ3lzuHTaUbo2wB5l8Z2I5kt2DsmG7+9DkEYCGCzFA1mGlnIRQmcLBwHJxMRNyPgt0r3XFbIg8+EgzmaFm0M9lbSUVmb5ExAL5++kWxjIzE2oco1kY8sdOtB8OBfQlMyPv9+rEZrz+EDCkxAAIAtkaDRAqwBHpnM7gZmlQObRtgkWhAEbHnQ0Uk9p6geUwqQFAW14vG9Jge/ALNNAdw0AFw0VXmRgCYpLVFFgQoYBWWYH4CBFGidBAAhlDK5/MAjcZMR7S3RRpwvYUNBEorAcNmw1BEv3AjNawWPoI0gANGAHxrAR7Qm6cDIGNoYBLzUCGDfdxASw5gt9wvaN0mPu+JMARO/VfAMd7GY0TGmdDgImtbIKWE6Nnw0bIFi1XCH9AIDHb06Q8ufOxuxM0vz5IBnQLXWyEMQsRiJOBga4Mn0CBhQtciAwQmiqCqxAEj3ywDau2xAEvnEIOoEoxwyWQDHjYrCmSGUUbfM1Pd3WRYgAhTzYwz9fMF3AH0DcapF/IQdILuPBXxIpIGbbgwaCaM+LB4mZo5lBAROlBQrjYiYLjAVBU2zwH70EW49PAoA4GEwEpBIimD4ErDVLDk909BS8QH2y5Bq/BQMYOMIzUvbQkPOjR8EKRA0A+Gkvl8gMRwWYT17RipgAFENrrdSYsYooM5CdQAxs3NJRQLoegJRDcCMKAjjTWC4/AErgoTR1YmDdBBANzcP5ZVFUKOBEA3fvmkBQWnxOjBEjiQzSggLv+m12YsAjx0RdCqwW5VgUw=IAgRGRPVLWBIBVdNP0wWtHBt7esoIOSjDDLAxhftDgMY78oWkxMM8lxRm</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-157ede06-c0ff-4092-861c-74b7ed541bda">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>GMl851P/=af8OP8gf45n8xsL3fg/</DigestValue>
</Reference>
<Reference URI="#Id-ae995838-928a-452e-be22-633ca120855b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>=VADYKMj8xOqZJZyReClqof3Ve3S</DigestValue>
</Reference>
<Reference URI="#Id-583f212c-afe0-4b2a-8f24-94a61ab01c11">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>OUa3ZYsm9=soUTrZ/51ko8YZ1UeX</DigestValue>
</Reference>
<Reference URI="#Id-3549607b-958f-4a73-887a-6e25c400368d">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>RCAWZo4o=R3wGfSUZhnA0VSxccEm</DigestValue>
</Reference>
<Reference URI="#Timestamp-814589a1-8fa8-4d05-bcb5-2cd5e59e4f95">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>nrSGxl2bQ6Ul2Wzgl27nb3ME8=p1</DigestValue>
</Reference>
<Reference URI="#Id-c4508205-7502-451a-b57c-ef3bae807828">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>IO5AN6rcQ7gmf+oyZ=YX+hcXamHa</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>wad2UgTSA/1JONW+s1gv/CVHJ85nwuRdakOx57Fpg+jS7R+LWHCAqXljtNS07OdFMHYrrpObgIIs5aSKXJfcdZy/bPuRkQKV=23GUMB3E90c2n42nHFn99ZqMGQJfHpukT71g1exbtlLwQgtCHq903ttBXEB/tkzvfKbQgbR+46gxRCjwlKiDvpUQBngcMOhyf8TZ6dgOWThIMZubJhzd7eXP5rLEl+L4qpOBosFJm6I5HcRSZaF/b/=4JT7U0KmCCLkEaUG+XdGmUyPcdLLGUpOhVh9P74rC7gBxnnyY9+djdu9qu7ibyRjGhngqjNOYu1wNI+Bi5ptK5vjgPwFa15H</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-61f81057-6b05-43c1-9b51-75a9a554f9f0" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-82864924-6cd8-44d4-955d-cd6ed8bf8067">
<myRequest xmlns="http://myservice.com/foo/params">
<foo>12345</foo>
<bar>baz</bar>
</myRequest>
</soap:Body>
</soap:Envelope>
Appreciate any help! Thank you!

Core does not support the security of the message layer, you can change the security of the message layer to the transport layer or use the .net framework:
For more information about WCF in core, please refer to this link:
https://github.com/dotnet/wcf/blob/master/release-notes/SupportedFeatures-v2.1.0.md

Sign SOAP body and Timestamp with X509 certifcate in WCF

I’m trying to connect to a SOAP WS with the following features:
HTTPS
Signed Timestamp
Signed Body
Not encrypted Request
That's an example of the Soap Request I want:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-c1cf1e29">
<wsu:Created>2018-08-29T10:20:58Z</wsu:Created>
<wsu:Expires>2018-08-29T10:25:58Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2e4f8773"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
[...]
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Timestamp-c1cf1e29">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>........</DigestValue>
</Reference>
<Reference URI="#Body-d96b5e74">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
[...]
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-2e4f8773" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-d96b5e74">
[...]
</soapenv:Body>
</soapenv:Envelope>
I’m connecting thought WCF and I’ve created a custom binding that works via HTTPS, gives me the timestamp signed and is not encrypted, but I’m not able to sign the body.
I use a X509 Certificate for sign the timestamp.
That's the binding I'm using:
<binding name="customBind">
<security allowInsecureTransport="true" includeTimestamp="true"
requireDerivedKeys="false" authenticationMode="CertificateOverTransport" />
<textMessageEncoding messageVersion="Soap11" writeEncoding="UTF-8"/>
<httpsTransport />
</binding>
I’ve tried different bindings like wsHttpBinding, ws2007HttpBinding, basicHttpBinding, wsHttpContextBinding… with different configurations, with no succeed.
Any idea?
Thanks!

Error Code 998 while authenticating Aadhaar

I downloaded Aadhaar API Source Code from github (https://github.com/souvikdc9/aadhaarapi.net ) . I never modified anything in that project and started running by setting "Uidai.Aadhaar.Sample" as startup project.
All the data inside project is tested data by Uidai.
I am trying to authenticate By OTP.
Kyc.KnowYourCustomerAsync().GetAwaiter().GetResult(); in program.cs file
URL: http://developer.uidai.gov.in/otp/1.6/public/9/9/MG41KIrkk5moCkcO8w-2fc01-P7I5S-6X2-X7luVcDgZyOa2LXs3ELI
Response:
<OtpRes txn="20180131032427098" err="998" actn="A202" code="eb4619dba1734185b75763194f61128a" ts="2018-01-31T15:30:34.384+05:30" ret="n" info="01{c039ac2f8cba7681dfa2470c9552173f11998bcf4cefc319419f8cf071e431ca,A,0001-01-01T00:00:00,1.6,20ef0f0c8d0eea98772412cea9b3b92612e3e53cb5e59152b5703165f56e8a53,efa1f375d76194fa51a3556a97e641e61685f914d446979da50a551a4333ffd7,efa1f375d76194fa51a3556a97e641e61685f914d446979da50a551a4333ffd7,NA,NA}" />
Body:
<Otp tid="public" ac="public" sa="public" txn="20180131032427098"
lk="MEaMX8fkRa6PqsqK6wGMrEXcXFl_oXHA-YuknI2uf0gKgZ80HaZgG3A"
uid="999999990026" ver="1.6" ts="0001-01-01T00:00:00"
xmlns="http://www.uidai.gov.in/authentication/otp/1.0">
<Opts ch="01" xmlns="" />
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>9Mv/mf6sByXfv3ZWxdnrDbenH+U=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>R5q3YHW8kUYCimSJPQMCZgNB+nDTINJtZ6Vog9sdmgBj8KoLzf3a8ebcWpeZrQAZ7rje3KRblDksxw+aXEFIFQ2jFq8IjzWgx58/BrRnZgh2kfoiv1Ve8hYYw2S+rQW5mKvbVs6aG18hSnbycYJE8Zgg5sbPak1faa8dRZBJhgqNfxvuYGEzPlTuYpA3v05jZeICvRX/eYg93iDIz0s1NJLiKiq/rI6mev8BY/eA7Pu6En7VUVnVcj47YStMiByZqUiuDQ6YrXZGd97kAC85H7gVRV7ZTkyDwulO/7ml6cEp9EpAReY6cvsw6ZzYMng1e1bTPj2CIboWKPHDlKqNSw==</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=Public AUA for Staging Services, OU=Staging Services, O=Public AUA, L=Bangalore, S=KA, C=IN</X509SubjectName>
<X509Certificate>MIIDuDCCAqCgAwIBAgIGA7J+eqryMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJJTjELMAkGA1UECBMCS0ExEjAQBgNVBAcTCUJhbmdhbG9yZTETMBEGA1UEChMKUHVibGljIEFVQTEZMBcGA1UECxMQU3RhZ2luZyBTZXJ2aWNlczEtMCsGA1UEAxMkUm9vdCBQdWJsaWMgQVVBIGZvciBTdGFnaW5nIFNlcnZpY2VzMB4XDTE2MDUyNDE0NDAzMVoXDTIwMDUyNDE0NDAzMVowgYgxCzAJBgNVBAYTAklOMQswCQYDVQQIEwJLQTESMBAGA1UEBxMJQmFuZ2Fsb3JlMRMwEQYDVQQKEwpQdWJsaWMgQVVBMRkwFwYDVQQLExBTdGFnaW5nIFNlcnZpY2VzMSgwJgYDVQQDEx9QdWJsaWMgQVVBIGZvciBTdGFnaW5nIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo4XxOsjK58Ud+tQd06Mk8Rd0qoyjA/3u+y0YVYEF6RgT8Ge1uVdTkIcVYaHyXuuHUPLLqGW1hPfVtn81UVIMGyrw5+t1c30wpGv3UJ6GCFu0sPGgG5NwkVbIUt2xgT/Or/kGzHjUJJy4Y6URSkZiDLDQQWRXvui5ZwwsYRJ8LhT0pSUwan1raG5Vl01GmlWVqsrCmnObuoYkN85iwG4/ERGshkgFCPak8B/jH3GPZSi1+FJLmCqMI1xxmTvf0kZb7ejm2IZFTo6ecYWJ1vylkzUI553RxVbnHCNZvFe3AyaKMyFlknFR0Fkl5+9Lpxz+VOajbCjicg7jIYCw76/xgQIDAQABoyEwHzAdBgNVHQ4EFgQUJHLir1/Tel8v/6OuIXpLS0JH8jIwDQYJKoZIhvcNAQEFBQADggEBAFE15qMGIlp8+M306FbhDEvo1vzxN2Pfvg/f92NXH59d2XZ/wuHxugL8qfcM5xkqsDeIRVxRdISpwiIWlqTitn6lenF85bvPQ09T/b09dVz/LxwU2Cm6+6H5/HZSoLtCKBOuRzAKQdxczpyfaqv9caFC+LegPQIm2HCwOM0A4KzhYcFhumGeyCbyVZsSQcJE7bYc/IHkR2erup7h5BACOZ/a+hHLPQok/uGvtEsR3roydNcNlR8Ja6Wc4eUf7kisTuZTxwRJI9DPVimbs0VAqhnsnVWAK3X4+6sFUq5WfHS4wTRhrR93JvEV5LlQ6UCXYOQMvTii8l07qxkDiysVsLQ=</X509Certificate>
</X509Data>
</KeyInfo>
What am i doing wrong?

SAML2 token not working with WIF/Federated/STS for SSO - please help/advise

This is driving me mad now, i am sure i am missing something simple but i can not get my user authentication working with my companies STS.
I am using .net 4.5.1, asp.net MVC with WIF. My application is successfully being redirected to the companies STS - web.config as below
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="ENT.Common.Security.ClaimsTransformationModule, ENT.Common.Security" />
<claimsAuthorizationManager type="ENT.Common.Security.ENTClaimsAuthorizationManager,ENT.Common.Security" />
<securityTokenHandlers>
<add type="ENT.Common.Security.eonToken, ENT.Common.Security" />
</securityTokenHandlers>
<audienceUris>
<add value="userportal.ect-sys.net" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="385c9689ea602a849547786d531782ca0b6b6ac5" name="eon-apps.com" />
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://q-www.eon-apps.com/GetAccess/Saml/IDP/SSO/Unsolicited?TARGET=http://userportal.ect-sys.net/" realm="http://userportal.ect-sys.net" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
i am getting a SAML response back which i have extracted using Fiddler
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6%0D%0AU0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8y%0D%0AMDAwLzA5L3htbGRzaWcjIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6%0D%0AU0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcv%0D%0AMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAw%0D%0AMS9YTUxTY2hlbWEtaW5zdGFuY2UiIERlc3RpbmF0aW9uPSJodHRwOi8vdXNlcnBv%0D%0AcnRhbC5lY3Qtc3lzLm5ldCIgSUQ9IkkxMTI1MkI1NEE0MjA0MDM4NzAwMThGQUM0%0D%0ARDlCQ0U5ODJFM0I0QUYxIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMjdUMTA6NDE6%0D%0ANDFaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5lb24tYXBwcy5jb208L3Nh%0D%0AbWw6SXNzdWVyPjxkc2lnOlNpZ25hdHVyZSB4bWxuczpkc2lnPSJodHRwOi8vd3d3%0D%0ALnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHNpZzpTaWduZWRJbmZvPjxkc2ln%0D%0AOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz%0D%0ALm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHNpZzpTaWduYXR1cmVNZXRo%0D%0Ab2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcj%0D%0AcnNhLXNoYTEiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSTExMjUyQjU0QTQyMDQw%0D%0AMzg3MDAxOEZBQzREOUJDRTk4MkUzQjRBRjEiPjxkc2lnOlRyYW5zZm9ybXM%2BPGRz%0D%0AaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8w%0D%0AOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHNpZzpUcmFuc2Zvcm0g%0D%0AQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0%0D%0AbiMiPjxlYzE0bjpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjMTRuPSJodHRw%0D%0AOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9%0D%0AInhzIHhzaSIvPjwvZHNpZzpUcmFuc2Zvcm0%2BPC9kc2lnOlRyYW5zZm9ybXM%2BPGRz%0D%0AaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAw%0D%0AMC8wOS94bWxkc2lnI3NoYTEiLz48ZHNpZzpEaWdlc3RWYWx1ZT54aUFhTnJwVDAw%0D%0AMlF0WXRLUUVFekJDNFNGeTQ9PC9kc2lnOkRpZ2VzdFZhbHVlPjwvZHNpZzpSZWZl%0D%0AcmVuY2U%2BPC9kc2lnOlNpZ25lZEluZm8%2BPGRzaWc6U2lnbmF0dXJlVmFsdWU%2BWnJK%0D%0ATE9LWEVZdDhyZkMyeG9tTEtzU3lQUE5lbXQ1SGlnYUgydlFTczBjcjZIWDRMUHRl%0D%0ATWtEZXVjTkdSUURUOVpYV2VINkNDUi91MTZjSHIzalNpdUVwMGhVT1lvSVZGTExy%0D%0AVER2dVord2ZIMTk4SnczSjl5Z2t5Zjh0Y3p5bWprZ09xSC9FblZFTDk0aUlCQ1g4%0D%0AQkpyS2orSEwyNVM3YnV5MHA1RnBza1NxKzdUV3REZUVSY3NBYVpjRnJXSFV0NHJB%0D%0AZ2paTml4WEVJeE03NldqY1RwOHM4R2JhU2wzRWxvQlZRKzF2b1RyOXZhSks4cXUw%0D%0AbnUxeVJuVGgwbDQ1dktoNWduYXFGU0c1cDlta1piSHhJR0NITURFRytnL24rNTRP%0D%0AcEp6R0NFNmVmUE91Y2ppOWtuN3RWTDJiWkZJTGIxdW1oTWZZY3FseFNuemlBUTFQ%0D%0AK3ZRPT08L2RzaWc6U2lnbmF0dXJlVmFsdWU%2BPC9kc2lnOlNpZ25hdHVyZT48c2Ft%0D%0AbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFt%0D%0AZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48%0D%0Ac2FtbDpBc3NlcnRpb24geG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAw%0D%0AMS8wNC94bWxlbmMjIiBJRD0iQTNFNzc0MUU5RTAxNUU1MjY3MjRGRkZFQ0ZFMTk4%0D%0AQUVDOThDM0Q3QkEiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yN1QxMDo0MTo0MVoi%0D%0AIFZlcnNpb249IjIuMCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv%0D%0AMDkveG1sZHNpZyMiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1M%0D%0AOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAx%0D%0AL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hN%0D%0ATFNjaGVtYS1pbnN0YW5jZSI%2BPHNhbWw6SXNzdWVyPmVvbi1hcHBzLmNvbTwvc2Ft%0D%0AbDpJc3N1ZXI%2BPGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cu%0D%0AdzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8%2BPGRzaWc6%0D%0AQ2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMu%0D%0Ab3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhv%0D%0AZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNy%0D%0Ac2Etc2hhMSIvPjxkc2lnOlJlZmVyZW5jZSBVUkk9IiNBM0U3NzQxRTlFMDE1RTUy%0D%0ANjcyNEZGRkVDRkUxOThBRUM5OEMzRDdCQSI%2BPGRzaWc6VHJhbnNmb3Jtcz48ZHNp%0D%0AZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5%0D%0AL3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkc2lnOlRyYW5zZm9ybSBB%0D%0AbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRu%0D%0AIyI%2BPGVjMTRuOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWMxNG49Imh0dHA6%0D%0ALy93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0i%0D%0AeHMgeHNpIi8%2BPC9kc2lnOlRyYW5zZm9ybT48L2RzaWc6VHJhbnNmb3Jtcz48ZHNp%0D%0AZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAw%0D%0ALzA5L3htbGRzaWcjc2hhMSIvPjxkc2lnOkRpZ2VzdFZhbHVlPm9rbVNjQ1VGdlU2%0D%0AcERIdGNtZ3lQQjNqMENLST08L2RzaWc6RGlnZXN0VmFsdWU%2BPC9kc2lnOlJlZmVy%0D%0AZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT51dlNP%0D%0AUDJBaVBTTmF6N2U1VnluUW9Qc0RuNVl2c1FzVXU4RzQ2UzJhMTB4MGtNbWxjdXNp%0D%0AbDJTZ0VhZVpHZVBKb3JMZHZYdytVK050cGtrbDg1RTViU1lqSW1KUDJ5bVhZMDha%0D%0AVC9pK1dpSlBnQm9SLzhscmpLdzNwTmNJUnhRNHRCaVh4OTZtNFZPcGJUc0plNGpH%0D%0AY1c3bHBSc1Z0cmVZRzRHNFpOTmlTVVpHazlRLzVHTUcyaGNNOXFLNjBQWHpQN1k5%0D%0AcTNLSkFtNENaRTRJNndseFlPY3RqdHE5VDVOamF2UHdNbVdWcGkyRkN0bWFtYjV5%0D%0Ad2huc1lnQzdvTHNicVYvdHBiUWdMQzNVdkpmTk1ZajFGZzBvVFZ0N0xNdWdTbUd4%0D%0AMUlNVXlpbVpDWTRBTDJ6K2hmcUIrWEhEdU1EY3k1Q1paaEFjSnRBekhnZStOM29P%0D%0AaXc9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48L2RzaWc6U2lnbmF0dXJlPjxzYW1s%0D%0AOlN1YmplY3Q%2BPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRj%0D%0AOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBOYW1lUXVhbGlmaWVy%0D%0APSJlb24tYXBwcy5jb20iIFNQTmFtZVF1YWxpZmllcj0idXNlcnBvcnRhbC5lY3Qt%0D%0Ac3lzLm5ldCI%2BNDJkMTk5OWNhMDc4YWZiOGIxNmJmM2JmMGY0OTg3NzVhNWZmYzRi%0D%0AMzwvc2FtbDpOYW1lSUQ%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9%0D%0AInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1%0D%0AYmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNC0wMi0yN1Qx%0D%0AMDo0Mzo0MVoiIFJlY2lwaWVudD0iaHR0cDovL3VzZXJwb3J0YWwuZWN0LXN5cy5u%0D%0AZXQiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48%0D%0Ac2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0yN1QxMDo0MDo0MVoi%0D%0AIE5vdE9uT3JBZnRlcj0iMjAxNC0wMi0yN1QxMDo0Mzo0MVoiPjxzYW1sOkF1ZGll%0D%0AbmNlUmVzdHJpY3Rpb24%2BPHNhbWw6QXVkaWVuY2U%2BdXNlcnBvcnRhbC5lY3Qtc3lz%0D%0ALm5ldDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48%0D%0Ac2FtbDpPbmVUaW1lVXNlLz48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0%0D%0AYXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDItMjdUMTA6MTQ6NDlaIiBTZXNz%0D%0AaW9uSW5kZXg9IkEzRTc3NDFFOUUwMTVFNTI2NzI0RkZGRUNGRTE5OEFFQzk4QzNE%0D%0AN0JBIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE0LTAyLTI3VDE4OjE1OjQ5WiI%2B%0D%0APHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVy%0D%0AbjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9z%0D%0AYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9z%0D%0AYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2Ft%0D%0AbDpBdHRyaWJ1dGUgTmFtZT0iZW9ubGRhcGRuIiBOYW1lRm9ybWF0PSJ1cm46b2Fz%0D%0AaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2Ft%0D%0AbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5jbj1CMTU4NDcs%0D%0Ab3U9dXNlcnMsb3U9ZWVhLG89ZW9uLGM9ZGU8L3NhbWw6QXR0cmlidXRlVmFsdWU%2B%0D%0APC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1l%0D%0ARm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9y%0D%0AbWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3Ry%0D%0AaW5nIj5CMTU4NDc8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sOkF0dHJpYnV0%0D%0AZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24%2BPC9z%0D%0AYW1scDpSZXNwb25zZT4%3D&RelayState=http%3A%2F%2Fuserportal.ect-sys.net%2F%3Fwa%3Dwsignin1.0
and decoded using https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://userportal.ect-sys.net" ID="I11252B54A420403870018FAC4D9BCE982E3B4AF1" IssueInstant="2014-02-27T10:41:41Z" Version="2.0">
<saml:Issuer>eon-apps.com</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#I11252B54A420403870018FAC4D9BCE982E3B4AF1">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>xiAaNrpT002QtYtKQEEzBC4SFy4=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ZrJLOKXEYt8rfC2xomLKsSyPPNemt5HigaH2vQSs0cr6HX4LPteMkDeucNGRQDT9ZXWeH6CCR/u16cHr3jSiuEp0hUOYoIVFLLrTDvuZ+wfH198Jw3J9ygkyf8tczymjkgOqH/EnVEL94iIBCX8BJrKj+HL25S7buy0p5FpskSq+7TWtDeERcsAaZcFrWHUt4rAgjZNixXEIxM76WjcTp8s8GbaSl3EloBVQ+1voTr9vaJK8qu0nu1yRnTh0l45vKh5gnaqFSG5p9mkZbHxIGCHMDEG+g/n+54OpJzGCE6efPOucji9kn7tVL2bZFILb1umhMfYcqlxSnziAQ1P+vQ==</dsig:SignatureValue>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="A3E7741E9E015E526724FFFECFE198AEC98C3D7BA" IssueInstant="2014-02-27T10:41:41Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>eon-apps.com</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#A3E7741E9E015E526724FFFECFE198AEC98C3D7BA">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>okmScCUFvU6pDHtcmgyPB3j0CKI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>uvSOP2AiPSNaz7e5VynQoPsDn5YvsQsUu8G46S2a10x0kMmlcusil2SgEaeZGePJorLdvXw+U+Ntpkkl85E5bSYjImJP2ymXY08ZT/i+WiJPgBoR/8lrjKw3pNcIRxQ4tBiXx96m4VOpbTsJe4jGcW7lpRsVtreYG4G4ZNNiSUZGk9Q/5GMG2hcM9qK60PXzP7Y9q3KJAm4CZE4I6wlxYOctjtq9T5NjavPwMmWVpi2FCtmamb5ywhnsYgC7oLsbqV/tpbQgLC3UvJfNMYj1Fg0oTVt7LMugSmGx1IMUyimZCY4AL2z+hfqB+XHDuMDcy5CZZhAcJtAzHge+N3oOiw==</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="eon-apps.com" SPNameQualifier="userportal.ect-sys.net">42d1999ca078afb8b16bf3bf0f498775a5ffc4b3</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-02-27T10:43:41Z" Recipient="http://userportal.ect-sys.net"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-02-27T10:40:41Z" NotOnOrAfter="2014-02-27T10:43:41Z">
<saml:AudienceRestriction>
<saml:Audience>userportal.ect-sys.net</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-02-27T10:14:49Z" SessionIndex="A3E7741E9E015E526724FFFECFE198AEC98C3D7BA" SessionNotOnOrAfter="2014-02-27T18:15:49Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="eonldapdn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">cn=B15847,ou=users,ou=eea,o=eon,c=de</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">B15847</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
but this is not giving me an Identity, despite the fact that the SAML reposnse has a valid user in the token.
Any ideas?
Are there any example projects on the web of SAML2 integration with .net 4.5.1?
Do i need to create a custom SAML2ToeknHandler inheriting from Saml2SecurityTokenHandler?

You are using the SAML2 protocol (saml2p) - .NET/WIF does not support that - only the SAML2 token - that's a big difference.

Two signatures in WCF SOAP request

I'm trying to consume an external web service (as far as I can see it is an axis2/apache service) with a .NET 3.5 WCF client.
The service expects incoming messages to be signed and encrypted using x509 certificates. Signing and encrypting seems to work so far, but WCF adds a second <signature> element in the SOAP header, which confuses the remote web service.
I am unable to get rid of this second signature element. What I found while researching the matter is, that this signature is used to sign the first signature.
My WCF configuration currently uses a custom binding with the following security settings:
<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
authenticationMode="MutualCertificate"
securityHeaderLayout="Lax"
defaultAlgorithmSuite="Basic128"
includeTimestamp="false"
keyEntropyMode="CombinedEntropy"
requireDerivedKeys="false"
messageProtectionOrder="SignBeforeEncrypt"
requireSignatureConfirmation="true">
Anybody has an idea as what I have to change to make this work?
A sample SOAP request generated by my client looks like this:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<e:EncryptedKey Id="uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... --></o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue><!-- ... --></e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- ... --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- ... --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- ... --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- ... --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9618ae47-8bcd-4a96-b56e-800759a0ee57-7"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<e:CipherData>
<e:CipherValue><!-- ... --></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>

Turns out I was using the wrong messageSecurityVersion value. With a value of WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 only a single signature is added to the SOAP header.
Afterwards the server was able to understand the requests. Some tweaks to the defaultAlgorithmSuite and now service and client are talking and understanding each other.