I wanted to integrated Token Certificate with SAML object coming through ADFS. I can parse [Using C#] every item except value of certification due to KeyInfo format. I think "KeyInfo" is missing 'ds' prefix. I don't know where I am doing mistake.
<samlp:Response ID=\"_00ca83c9-aad0-4210-9174-87ec874c5103\" Version=\"2.0\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
<Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">*******</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\" /></samlp:Status>
<Assertion ID=\"_bac09d77-c98e-48f6-bf62-8bbbbd1756d9\" IssueInstant=\"2015-08-19T23:07:32.659Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"><Issuer>http://ADFS.*******.com.au/adfs/services/tru</Issuer>
<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<ds:SignedInfo></ds:SignedInfo>
<ds:SignatureValue>some value</ds:SignatureValue>
<KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>some value</ds:X509Certificate></ds:X509Data></KeyInfo>
</ds:Signature>
<Attribute Name=\"LastName\"><AttributeValue>FFFF</AttributeValue></Attribute>
<Attribute Name=\"Username\"><AttributeValue>fdfdgf</AttributeValue></Attribute>
<Attribute Name=\"VAL6\"><AttributeValue>AAAAA</AttributeValue></Attribute>
<AuthnStatement AuthnInstant=\"2015-08-19T23:07:32.549Z\"><AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement>
</Assertion>
</samlp:Response>
Try this
<?xml version="1.0" encoding="utf-8" ?>
<samlp:Response ID="_00ca83c9-aad0-4210-9174-87ec874c5103" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">*******</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_bac09d77-c98e-48f6-bf62-8bbbbd1756d9" IssueInstant="2015-08-19T23:07:32.659Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://ADFS.*******.com.au/adfs/services/tru</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICXTCCA..</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Attribute Name="LastName">
<AttributeValue>FFFF</AttributeValue>
</Attribute>
<Attribute Name="Username">
<AttributeValue>fdfdgf</AttributeValue>
</Attribute>
<Attribute Name="VAL6">
<AttributeValue>AAAAA</AttributeValue>
</Attribute>
<AuthnStatement AuthnInstant="2015-08-19T23:07:32.549Z">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Related
I’m trying to connect to a SOAP WS with the following features:
HTTPS
Signed Timestamp
Signed Body
Not encrypted Request
That's an example of the Soap Request I want:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-c1cf1e29">
<wsu:Created>2018-08-29T10:20:58Z</wsu:Created>
<wsu:Expires>2018-08-29T10:25:58Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2e4f8773"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
[...]
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Timestamp-c1cf1e29">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>........</DigestValue>
</Reference>
<Reference URI="#Body-d96b5e74">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
[...]
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-2e4f8773" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-d96b5e74">
[...]
</soapenv:Body>
</soapenv:Envelope>
I’m connecting thought WCF and I’ve created a custom binding that works via HTTPS, gives me the timestamp signed and is not encrypted, but I’m not able to sign the body.
I use a X509 Certificate for sign the timestamp.
That's the binding I'm using:
<binding name="customBind">
<security allowInsecureTransport="true" includeTimestamp="true"
requireDerivedKeys="false" authenticationMode="CertificateOverTransport" />
<textMessageEncoding messageVersion="Soap11" writeEncoding="UTF-8"/>
<httpsTransport />
</binding>
I’ve tried different bindings like wsHttpBinding, ws2007HttpBinding, basicHttpBinding, wsHttpContextBinding… with different configurations, with no succeed.
Any idea?
Thanks!
I'm attempting to call a Secure SOAP service from C# using .NET 4.0
The SOAP service is expecting the message to be
Encrypted with certicate A,
Signed with certificate B, and then
Encrypt again with certificate A
I created a reference in Visual Studio with a local wsdl file.
I've found some articles on how to apply a UserName token, but that's not what I need. I've found ways to sign an xml document, but through the generated class there is no access to the xml.
The config file I use looks like this
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="GetStatusV01">
<textMessageEncoding messageVersion="Default" />
<security authenticationMode="MutualCertificate" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireSignatureConfirmation="true">
<issuedTokenParameters keyType="AsymmetricKey" />
</security>
<httpTransport />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://dev-server.com/GetStatusV01"
binding="customBinding" bindingConfiguration="GetStatusV01"
contract="GetStatusV01.GetStatusV01" name="GetStatusV01">
<identity>
<dns value="MYCRYPT" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
The response I get from the server is "Invalid signature", and according a server operator, that's because there are no signatures in the xml I'm sending.
The envelope I end up sending, looks like this
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_5"/>
<k:EncryptedHeader s:mustUnderstand="1" u:Id="_7" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>9HtcpmMXQXza5yex1aclsD5/0HHz9Me2IgFe6+M6CidhhNsxhExFfwMNDlT+jqiqHcspuoJtEMtwRdj6b52qXqhf7oGSqnD1JJZ1UjTg7TiOrCUHRsMjy2CxLAL7Lzez9GsHv4zK+ddz9Cif3tNQTHBMq/yeK0O8DmYNjqDbpuVv88A7eymdM1dmxrX9o88NdwJ2GwuNgHBkOUHQNdEflT8DgV0ENtYna8tDVbzgtQilCgPcIYZr9ku3h9dqK9PUYExUJSTtvYTDcLf0nY3r8ih0ub9TsMWGKy3i4G8hHUPrcJnn3CGr00irEuL1uth+nRpFPV2X0G6UAmRHluCVwUu7YkSPtt19NAZBzJq3RFz7KZfKbmn64oF14QCjkhTJprhcvKq97mjfO6wDj2SNBC+74Iun8G9yd9wLswmYTk7MjVCJQuHEEkzTPeXJzNJoF4vSOIWVqLz7vsEjy5SeGb6Hz8P8F63XwcPgu1sTZHgPD31yU5Hes2YBY2T2NrEaZEkSMp47vmwjOL5BBetto0KSFWjR/y1MQHLnEGn2JmI=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<k:EncryptedHeader s:mustUnderstand="1" u:Id="_9" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>oNXVh8ahb5uYLmWjUH1p9hXYUQGgno8/jobu5/ZjAySldFH/liZzncErnzhdMZDAivbOMLQzVmrN0OxDFmclfktiDPkxMGSq8j+MNSI+rBaFKo805EOg1ZBO5J6DTR+Ys11BQbCjPTXT3UY9yx0QrnBmnS1pZK+nJN+PraI09YJk/Bne0Uo5IorJNJ1i6D2tH3hbhHlzKCT2B8i1r6Pl83QwGsTk+evz8dQp0bR1dZiMCXIMxE9EGYx62qw8d3TgNHCIWTGWWtFNhWC0zWTGgXsABKnf/jLrUlY9JqMQzsw6VTavRX6i2chz+sAEjCkqiAx5sPMof1UN1wL3YptzBTK3xWjQDXSEvqpIJHC4jPxn2LvkQKX3JxdAeQHU+V0m6j4Uz8DThB4UuSoZvQCljnAK4DbNasHbQ/Nma/MzJhiPrywBjO7p5yXZIQ/MhWw86ipgSgS99eyzGWDpHYtp1w3cXfGPz7Z5NKqbI0WNW99B8zomU7mhAmRrwSPCP6Ya6WPerrDbJIWl8CPjPd4yNH31XI7MD3T/p+M7MwLnUD2XM8lxR3MOTdNZOYD9r2m5NMCfRXSQJJ8l4bGX21W4mibITvKZWH1EEne3raLh0s8=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<a:MessageID u:Id="_10">urn:uuid:b9c526af-36f3-423a-8d3a-19985e0db257</a:MessageID>
<a:ReplyTo u:Id="_11">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4aefT0KQzZDpNvQrzwnNtsAAAAAJzXxAWN+LESmfMegQxoSGvNvA3qZWLlOqUZ21s0IQugACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_12">http://dev-server.com/GetStatusV01</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-2">
<u:Created>2015-01-23T09:20:49.574Z</u:Created>
<u:Expires>2015-01-23T09:25:49.574Z</u:Expires>
</u:Timestamp>
<e:EncryptedKey Id="uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WvRehCqSEu079vWus36QbxPWAGc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ISnfyYYfr4pldTG+JkP/sKlFkM67SuMG14x8h/wGfvqHwjiqZ/qMWl3vY3SE3wa9hBjPDNl4xLw/8XB/2IlnZIUqcd1hS2CPngON3hGiu9C5GCYNPOgzAApjHhX8EO/wbjxDdNd99CFxJfM/SIQ266Z+qA2f6/o2xyoPlEwb79fm+ZBXQGQAAJOAHpojISjfykWqMA4/UyzACjhYESZsnIrc0YjTzAadBJcyBGGWVBtsRxFE3hWelN4jlKxo9BndkpDRtQBjKkk0jUJTZ9UxC+9MkybEDbS+FUBmZLc+61HR9ZNrfEqCxHZi8KsMm2QgbprYsUIuQWw7N97xe47sqw==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<c:DerivedKeyToken u:Id="_0" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-1"/>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>Rwl/m9QIizpTsdcwLXErBQ==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken u:Id="_2" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-1"/>
</o:SecurityTokenReference>
<c:Nonce>Jxn1Kk2F2zJ+d2+eTTS3Hw==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_4"/>
<e:DataReference URI="#_7"/>
<e:DataReference URI="#_9"/>
<e:DataReference URI="#_13"/>
<e:DataReference URI="#_14"/>
</e:ReferenceList>
<o:BinarySecurityToken u:Id="uuid-b69ebd3b-2a8b-4279-9106-d67e08facdc1-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIID4jCCAsqgAwIBAgIHDpkdHWHajTANBgkqhkiG9w0BAQsFADCBmjEQMA4GA1UEAxMHREJHU1dESzELMAkGA1UEBhMCREsxEzARBgNVBAcTCkNvcGVuaGFnZW4xEDAOBgNVBAgTB0Rlbm1hcmsxGjAYBgNVBAoTEURhbnNrZSBCYW5rIEdyb3VwMRwwGgYDVQQLExNEYW5za2UgQmFuayBEZW5tYXJrMRgwFgYDVQQFEw82MTEyNjIyODc3MzAxMDEwHhcNMTIxMjAzMDcxNjIzWhcNMTQxMjAzMDcxNjIzWjB0MRYwFAYDVQQDEw1NQU5VIFBFTFRPTkVOMQswCQYDVQQGEwJESzEXMBUGA1UEChMOU09IVVMgVkFORFZFUksxNDAyBgNVBAUTK1NFLU5SL0RBQkE6MDAyODIxMTcxNi1BR1I6MjE0NTI5LVVTUjoxMTYzNjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuZ1L43OwCq0boGtTzgUE5ssTtenD1BXyudwympbes9j6ezX8gHNHt2PMvpzMKCr8w7G0EGcaOENvDg0ESYtAa5D87m0TAZGNV/JWLkJdReyRxUq56OVtqo4vGHNaLs5BJnWnK8FjKm5CQmJmROR6gAUQAnx7Gp6LZyJxv/L/G4zjAdEH/e6ERnBQho8zJfSrDtgZ2Wc77uSacW3UJfRNKu50D1YtWH3CRh8TJn6Qe03kSNMq+gcKlK3EKeq7AK9gpOV5sS14uyj0TZ1XpsiGecVKQ29e1ALogeQJslVPJonMyeHsaZSE7QLSkT2knRk72NTWSOgBAewlJFlN4xDSFAgMBAAGjUjBQMB8GA1UdIwQYMBaAFA7mcPtCSqVAKvGKB0mdxNijbS0jMB0GA1UdDgQWBBRrbEk6rdXl/sKs2MZ16xdXYu1BfzAOBgNVHQ8BAf8EBAMCBsAwDQYJKoZIhvcNAQELBQADggEBAFTjBKr/K54MTrz8lthO7jbMG+OhL9YmBXF0pgowRjH3J7ECp0hXxIL68ia9ZaYalAou+YcXljLkASj8+Xt0yiTH91pPyDKNU/wk8bFAEMz3brOu8ok10iE3TNA4iyeronHpw1o1WVCzycCYYziv1iluU1thnWB3lqbGdOH4Rk0Mw8UBymTbc63T126bKBMeyzwvjPgTcuYjpA03394VDaXylm1w1XVX+i4RJGBcUTng6tJObEdaEJhNNXf9Yk2LQL4GjZpf1lsUguTh7i2Argq0bZgzoEzKE4UPwJD71B0yU13dL2ZuSQ+WDqiXFRkSaJHaK586SwttggTCE+J3Zko=</o:BinarySecurityToken>
<e:EncryptedData Id="_13" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>3b39yD6RDg/JVv4NnfHZcd3z6+iCeqGzsE2kc+9na18OFNTFsvArRss6FLYFunpg3GqyHxsLdeKPcCFcn0IqY+gijO/2LNEIkNRb41ZLzycMgo0VKfqj/v6QKCDHkrrqp+oaKZdedvgOixjKFsUKCcZGH8K/ToGyNtFsdFkkwctGmooIKPJA/erQmOZiq4vWi/S5jT4v6mfCdKnAKwwLwUhY3xFgVDNxYio6SjX9xDb0Cmeczex6EvPx9VxBX3yG7sTlQ0d4wgEiSum6DiFNO2hvvKdUCgp0rPbjXcxgB0xnRQlm45P8cMw49tooc6bYXz5Zpp5qBP2zpBDNrmIXS9t8hGiPG9J+MCeIxWbA0lZIIZzeuMMKSsbyKTxSmeN3G0+BuAD/xRA18jD4v/hnXhSv77+YB7iqmtWpkRUPtnaVkHiM4SiagUMTDBCW5yNOQCaUJN4yHJo34tTJ0PBBtFKji+4wVmu5QjMy5jO2dgdzGo4iDiHxOEqVkjk1U3d9I0Cul7Gt7PwQNkTxd2sqSrst/A3tUe2gaw9MPqMSvQjle552FQCKxK5rlIlfBiO/CI1Le7zEJhpkTqr67H88TMOCKR/5ylTqM8ctI4l1HtaAgPULZU+iU7lWg8BZoYwzP9htH85Olgqp8CNa7nuBWiIGn2J/4Trle8fOonm/WbRVapaJLbWGdP9Zr1NVxOMIDCkp9DcozgeJ/GKMG5niriZ+/S+Xu+l6MENP9wyYERw43PD4bQzaSGnKTNnfEVi/nPjJjro5ipEdf5m9My3xmdIw9FOVPi2ybw+W1zi/SuT82sJGraOYZcwHzIpZ801EyQTK94S6tBHyOxpMXAPZFxbLwOVowtK1nKmlSra6NLDXVriAKcjRSnYuKkduPYwXvb4H32aKpfWEClTd66nTGU/FyHa/MM7ydgz0jyB30a+Vt6eOY3JkelzFlqwbaUV5JledP16eLyV7qxESzyYr8Jf8Lbo0ERiljBBflQaLcQ9hOWx4RUGcqDNGwX8cbc2C6LY0NWOq91vwuz7rg547JgNHwoFW0MNAqKb9kJFu5FIO4lG3ny4l13tcJL2iAUz/uKgWtl2rasJTRyavQtBT3wEZb9ux8aiYyGr5oUKqLdxwIN/s5EBNiwPY1OHUvJx0NiLMTap0rrupKeAZMJud54u6rBk5AV1cYDtJ4O5UxjgyNZF4RiUdRYyPIK7M3ugRx4K/GZ0v4i1xkxxW/T65P4FDKt/VU6Oqx/9q2ZLm14UUc9Ty07fvyW0KMYruvIqaf1gSTzgNaZfWpfyaTCwNRTi/bEhwpfRRqy5JPaft0b02H6U0Qsnixvj3E5vhFu/KZXRtZmiSxN9+ZBkRd73jFxTstSHQxZU7P5aYo/swm605qYsPUEnuAIjtdEAtEEjJ2fvjDP/sOvfnk1R789IDxRJYJiUgB+KHOGWUw6B0bcContIL497EH3+dm269BZhspxbEnRLqnZvKCLxiWmO2XCVeM/PxphVabSTXX+W34XkT68qLeTgkEjGPrTPFuNefG5f5BoUR1djwEj160TCknsG6sg3BEuIS7FLLe9q4fqy2VfoeLU3XCFoX5vGq5E6UH9TMVXCbk7kKq2Q4aexaq8I0qPKkG637qwj4rrMSnVZ0yYEWHkwpsRstmShQqcdteQg/hFS1joRzjF6mg6ehYT2Mic08NrpEU6+Iwyk/uWmgbtMqZb91OM4tE5lYTA1bJQmTL+c3mw8Nvfpyw1iLPt/cRagfGNavdkJZslfEqBnmJ75hYrA5Lsd3Of57nJOqJInBfnVB6+0gHLI0PAM7HphtopDYxX5ECcctOkKDQ1NgtfvVZXn03QGrfTDFn2LrvZnX+RzsvwopVkLZkbalMK7aSOMhpw0c9CQ1zTObST3CNidQgk/22aaZZpbkfm4oGmJyvvJ2c5nc9x0uiBOVpKunWulzoG268v8mHKcOpT/JTRLs3kFHwqCrrjn+l80JhKlPRHO1NeBeQL0VzA1v80EMVkjQ8ZPYuV3/tZfwWopptAYi2BXmTVCYe/oFpNch5wyIkWdLbiQljUxL8DIqgI6fgxkXBNZPdyxADhLlSs6PgmKwSVKYhXsbkPCsnSH3ukNTX+KZoE973aPvOIo0jbP28HczJ5T5GoQCd8vrHW8QO+nMQhKnUhHLkmwENwaygTII2zp0AGa4niwfLXZM4O8LfpaIIEdfJlmyKVrgIkseDVnG7Qi5M+Gl+McfMjuBKw3hW8qK9DWxoo8BOoT9qD3jB9aMqpN5B87M9K75nl25G4lxeIXVKmiSaCpOgDrVu1/VewJ37qsfffiF6AGu09cSNzV2x0+DIeh4oelhPOvEvNdUniqX18NZIVcFPhkwbQFbi0zFYTB6FwURCOXoAukHTb7FepnF/CefXdNCa77ouKzz9tHpgP5OuIx8htiSoZxSIb2aKZlq19+3BR6h8aMBAbKmMyj5lFG95rboYrkctJNZyvckWidV5tz6BtVVNmp1zX3NEzZp087hvzPebq/iU9qCg5kcJ5Tasrc0VpMvt40PUDAcpzrfBH6fwZ6jsIv8FzTuFJcxBsx+P+aWKlFXOj+tNmprTT2olbSvaC2T8R/C+VG8lkC0M94oot8tIWDHW9tpKrPNoT0fvTo5JhoZvTYq7cVp4DMBldX7GVTuAMooCwg3rPx+Bus/wZJaU+NiCHi1R/1rYmi31/58ZE7hm0lVPV034zG8tLN0zmev7io6e95y/6F8B/ZUFpwOSV1KdJvCFN0ENYh7YhTGIDWzBMzlMksj04A6pzsLNdLy9Ar70oqOUlJOR4zd3vbWVCZpYBmr0rM3IYGehWor10WYjb8HizSUq56OD3g2LnOjMao/qN+VEu/SgyQVnf36QoDdw9Y54hi8qCm9ZpRATcOGRjNc3xtnZyKsGoH/+XjM8bJ1UJ7wcYMg6NGCGnxFv35SoyOEJx3YMesjc+WZy4z6j0zy0kMO5hpvttdAHAd31UyuJE9lg1kQ9/6oIchmP6c8ItfSphfyauvW8IdAjB2IW1kLRI2qHmMjmVA41b0c/25GB7s41wTzJwSVTBTdiKEX/DNxmN6Fb/UlA0TqTFmxzoTInCTMav5sPPCA4X+MPS0UYqCbl5kYndz7fpLjOX9Lj7DmN8DKr+SqhYEgVrF7Fe6aRp0Gj1HwqEn4C1VHMjKeAd/kzjz++PrDdR8RkfCGYwk17grk6bdUAForFprUVyGOa9d7nJ//ySQBCehyiwNQtXY9RY4Xf6yqe5UpPwdQhejn693gb4Fm+swcreUP5QhztCMw8nufx81Xg+U9n1cwz2PGI0dQm+toveTBjpSmFRsNl699XYBfJ7W5cg==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
<e:EncryptedData Id="_14" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>N4TKQH9x4e2rMm+OUkXbWs0FeADT03aG1DsyP7V303vRQL/k5OS+nLmKgojOxFEn2MzZxbS4MlOeY+CxWehZaVJB0vnHA68VUTkERUtUwKuIlrNwAHwRil3icnACEtPTkgzQasz3T1f9uexZ1ZCC1x6sywdA30uTSe/qHG1MfBNYCL3UfUiWzOmrH0Nfgqoz755MvlrYeXg/YHD7JeUX2KQhai5KIHBj6UExGF1MtfVAXy3AKOGiz962M+zznc1jNMZ3LfjIyX/r16p83tadljbHT1B/UXT+3ePjmuNRqSaWgRzpCKX4hWc0C9n+RdOY9jSjW7OwttrJS8ZA+I+81rKi6FZ1B5Ivbu/4RC2/DpgxDlLMn8pkCT/4JaoVZUmeFnbonDL76qrAfk2fB2sOVe7gbeEI9g9ej0TTkW3SFHZmqMe0t0VeH//YMBwNSpNOuQbQC2sBCFdVANjxzkuiHXiYQBgB6JuxjE1m1esg6A39zK1ilQTnbp+B7sqkWHATG9EE5Cx50u1XUV3l4F6zV31u8WNYV0R+oMtZjdWH0gXLcdl8pz+hKHE2ZkuGtn5/cWqhZrXWeSX/N3tyoKwbbMgOKP9XXtneKj4bfMJJVIluVXcQbfuJLYabdA3YM+8Zqh2m8VOLQpZwlhgcSR+F9lR2mM1HHi8zZGlZPmgMv78I/QZ2UT09WXUFhJb26q5+msJuY+JKD42dKaWMwKY8Z0h6iaqdSov6dY3T1aHvfooQp0GRpHFBRAGS7aN9Vi48NzROfYt2oEKbJpc6nBQ3tvX6qOMq4JmF+etn/xnUZNF57beDU3KQd2aNDvGmcUJaFEtAiuTkbLfK0K9ehOEZw+MYgSDKJnZsrbMs0WEhOBh3WQWPIvlfa57/S8t2wUKqeevRKZ+n67/sFFcirOTCJxJOOtYVviAb5pNjPdISIcmz0sdsJGuifY73DJjlJZ/jraHtoWg+xtUyhpGjFiL/6Q5ACDSzqSeuY6XiAOkseAWEw7YaHJtbA3iSU7hjQYQzNjEGphjXBXQzDtHyts1x2INxPJVvDO+5NiCDUlYHoO+bfCvLeG0QP+Bes0wx4EOCWTBfM7WeYhwQpIo1D/c+m0IFOPmOR0wkA+l/CvwqNVzd5u/wwzKBRquBTpKFqJDfikkkvg5ZU9dE/lNs3hjKu+eGOPQacAAHNWFFqu1a7i9/bcY+4xaYkL5pK3m33jxwuahKpgZceTpyYsZxC13WBLXuoEDHD7ycKUaZ1XQzp74IaIfEYa8JN0aAG/SVeMLRG8+DlUMSTBe9xSuc2Z9ICfm8dYb8DnvO8wyAaOYwaIq0fmNLc8SJjEQVEuidLdBWznvQkwDokZgFQIPvPvRnQRfI7Jk/IAhNd/l5ZvhRIf7N7FZu8g3hjQQvqA6eEi0TE0eSQzyaJhDZnVQOBBAXnM9yjtiTh++v6SahhE9mGOGbqk9nB6Sdw6x6DqQwa2M4H6QB6W9F0a6nZMWUO4Ul8g==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_4" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>bhK3DQ/NTQSnh0pQxwhtass+Eefb1HOlrRcaXrmfUMnvwK+tjf78pmrWIXguiY7ZycI22fcnp4cJQk9af1S7L9Y5aJsv7XP8XBeAW6WggtOp/BR+OPGGS5r5qP7kr3oemSpvuapxBh5n1xAT95PSbNxyDcEt3MzMsGGvl7KK4au+bodKcWFK0GJlnxW0VotdhMTjqm7fK0qtP2xWC5RpfpQVZO1dF/4qE7/nENidFnLuszYH/7VFIatFYwhXI/UdnZ/H7E6h8MdnhLBMbuEDOFvgVx1v61YBOibIcNK6Pi9Mjm7Zh9JuOiEsdGKM/vU1o/4D4qmecu9iN+QwbFA7l2F9L10SO3dzZAyNfzjySVGU0TBy+UZTMdNW2y4TJ/l+y5TOOX++88RweL7E3EDzJg==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
I've tried fiddling about with the settings in the configuation file, but it seems I cant get it rigth.
The certifcates are set in the code
myClient.ClientCredentials.ClientCertificate.Certificate = mySignCert;
myClient.ClientCredentials.ServiceCertificate.DefaultCertificate = dbCryptCert;
-- edit:
I've tried using ProtectionLevel.
myClient.ClientCredentials.ClientCertificate.Certificate = mySignCert;
myClient.ClientCredentials.ServiceCertificate.DefaultCertificate = dbCryptCert;
// myClient.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
myClient.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
ProtectioLevel.Sign results in a NoEncryptedData(start) from the server.
ProtectioLevel.EncryptAndSign result in a "Invalid signature", because there is no signature in the xml. I think, I what I need is actually and ProtecionLevel.SignEncryptAndSign, alas there is no such protection level.
Is there a way to configure WCF to put the signature in the envelope?
You can do that using the ProtectionLevel attribute. Have a look here: https://msdn.microsoft.com/en-us/library/aa347791%28v=vs.110%29.aspx
This is driving me mad now, i am sure i am missing something simple but i can not get my user authentication working with my companies STS.
I am using .net 4.5.1, asp.net MVC with WIF. My application is successfully being redirected to the companies STS - web.config as below
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="ENT.Common.Security.ClaimsTransformationModule, ENT.Common.Security" />
<claimsAuthorizationManager type="ENT.Common.Security.ENTClaimsAuthorizationManager,ENT.Common.Security" />
<securityTokenHandlers>
<add type="ENT.Common.Security.eonToken, ENT.Common.Security" />
</securityTokenHandlers>
<audienceUris>
<add value="userportal.ect-sys.net" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="385c9689ea602a849547786d531782ca0b6b6ac5" name="eon-apps.com" />
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://q-www.eon-apps.com/GetAccess/Saml/IDP/SSO/Unsolicited?TARGET=http://userportal.ect-sys.net/" realm="http://userportal.ect-sys.net" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
i am getting a SAML response back which i have extracted using Fiddler
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6%0D%0AU0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8y%0D%0AMDAwLzA5L3htbGRzaWcjIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6%0D%0AU0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcv%0D%0AMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAw%0D%0AMS9YTUxTY2hlbWEtaW5zdGFuY2UiIERlc3RpbmF0aW9uPSJodHRwOi8vdXNlcnBv%0D%0AcnRhbC5lY3Qtc3lzLm5ldCIgSUQ9IkkxMTI1MkI1NEE0MjA0MDM4NzAwMThGQUM0%0D%0ARDlCQ0U5ODJFM0I0QUYxIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMjdUMTA6NDE6%0D%0ANDFaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5lb24tYXBwcy5jb208L3Nh%0D%0AbWw6SXNzdWVyPjxkc2lnOlNpZ25hdHVyZSB4bWxuczpkc2lnPSJodHRwOi8vd3d3%0D%0ALnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHNpZzpTaWduZWRJbmZvPjxkc2ln%0D%0AOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz%0D%0ALm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHNpZzpTaWduYXR1cmVNZXRo%0D%0Ab2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcj%0D%0AcnNhLXNoYTEiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSTExMjUyQjU0QTQyMDQw%0D%0AMzg3MDAxOEZBQzREOUJDRTk4MkUzQjRBRjEiPjxkc2lnOlRyYW5zZm9ybXM%2BPGRz%0D%0AaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8w%0D%0AOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHNpZzpUcmFuc2Zvcm0g%0D%0AQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0%0D%0AbiMiPjxlYzE0bjpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjMTRuPSJodHRw%0D%0AOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9%0D%0AInhzIHhzaSIvPjwvZHNpZzpUcmFuc2Zvcm0%2BPC9kc2lnOlRyYW5zZm9ybXM%2BPGRz%0D%0AaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAw%0D%0AMC8wOS94bWxkc2lnI3NoYTEiLz48ZHNpZzpEaWdlc3RWYWx1ZT54aUFhTnJwVDAw%0D%0AMlF0WXRLUUVFekJDNFNGeTQ9PC9kc2lnOkRpZ2VzdFZhbHVlPjwvZHNpZzpSZWZl%0D%0AcmVuY2U%2BPC9kc2lnOlNpZ25lZEluZm8%2BPGRzaWc6U2lnbmF0dXJlVmFsdWU%2BWnJK%0D%0ATE9LWEVZdDhyZkMyeG9tTEtzU3lQUE5lbXQ1SGlnYUgydlFTczBjcjZIWDRMUHRl%0D%0ATWtEZXVjTkdSUURUOVpYV2VINkNDUi91MTZjSHIzalNpdUVwMGhVT1lvSVZGTExy%0D%0AVER2dVord2ZIMTk4SnczSjl5Z2t5Zjh0Y3p5bWprZ09xSC9FblZFTDk0aUlCQ1g4%0D%0AQkpyS2orSEwyNVM3YnV5MHA1RnBza1NxKzdUV3REZUVSY3NBYVpjRnJXSFV0NHJB%0D%0AZ2paTml4WEVJeE03NldqY1RwOHM4R2JhU2wzRWxvQlZRKzF2b1RyOXZhSks4cXUw%0D%0AbnUxeVJuVGgwbDQ1dktoNWduYXFGU0c1cDlta1piSHhJR0NITURFRytnL24rNTRP%0D%0AcEp6R0NFNmVmUE91Y2ppOWtuN3RWTDJiWkZJTGIxdW1oTWZZY3FseFNuemlBUTFQ%0D%0AK3ZRPT08L2RzaWc6U2lnbmF0dXJlVmFsdWU%2BPC9kc2lnOlNpZ25hdHVyZT48c2Ft%0D%0AbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFt%0D%0AZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48%0D%0Ac2FtbDpBc3NlcnRpb24geG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAw%0D%0AMS8wNC94bWxlbmMjIiBJRD0iQTNFNzc0MUU5RTAxNUU1MjY3MjRGRkZFQ0ZFMTk4%0D%0AQUVDOThDM0Q3QkEiIElzc3VlSW5zdGFudD0iMjAxNC0wMi0yN1QxMDo0MTo0MVoi%0D%0AIFZlcnNpb249IjIuMCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv%0D%0AMDkveG1sZHNpZyMiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1M%0D%0AOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAx%0D%0AL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hN%0D%0ATFNjaGVtYS1pbnN0YW5jZSI%2BPHNhbWw6SXNzdWVyPmVvbi1hcHBzLmNvbTwvc2Ft%0D%0AbDpJc3N1ZXI%2BPGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cu%0D%0AdzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8%2BPGRzaWc6%0D%0AQ2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMu%0D%0Ab3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhv%0D%0AZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNy%0D%0Ac2Etc2hhMSIvPjxkc2lnOlJlZmVyZW5jZSBVUkk9IiNBM0U3NzQxRTlFMDE1RTUy%0D%0ANjcyNEZGRkVDRkUxOThBRUM5OEMzRDdCQSI%2BPGRzaWc6VHJhbnNmb3Jtcz48ZHNp%0D%0AZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5%0D%0AL3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkc2lnOlRyYW5zZm9ybSBB%0D%0AbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRu%0D%0AIyI%2BPGVjMTRuOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWMxNG49Imh0dHA6%0D%0ALy93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0i%0D%0AeHMgeHNpIi8%2BPC9kc2lnOlRyYW5zZm9ybT48L2RzaWc6VHJhbnNmb3Jtcz48ZHNp%0D%0AZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAw%0D%0ALzA5L3htbGRzaWcjc2hhMSIvPjxkc2lnOkRpZ2VzdFZhbHVlPm9rbVNjQ1VGdlU2%0D%0AcERIdGNtZ3lQQjNqMENLST08L2RzaWc6RGlnZXN0VmFsdWU%2BPC9kc2lnOlJlZmVy%0D%0AZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT51dlNP%0D%0AUDJBaVBTTmF6N2U1VnluUW9Qc0RuNVl2c1FzVXU4RzQ2UzJhMTB4MGtNbWxjdXNp%0D%0AbDJTZ0VhZVpHZVBKb3JMZHZYdytVK050cGtrbDg1RTViU1lqSW1KUDJ5bVhZMDha%0D%0AVC9pK1dpSlBnQm9SLzhscmpLdzNwTmNJUnhRNHRCaVh4OTZtNFZPcGJUc0plNGpH%0D%0AY1c3bHBSc1Z0cmVZRzRHNFpOTmlTVVpHazlRLzVHTUcyaGNNOXFLNjBQWHpQN1k5%0D%0AcTNLSkFtNENaRTRJNndseFlPY3RqdHE5VDVOamF2UHdNbVdWcGkyRkN0bWFtYjV5%0D%0Ad2huc1lnQzdvTHNicVYvdHBiUWdMQzNVdkpmTk1ZajFGZzBvVFZ0N0xNdWdTbUd4%0D%0AMUlNVXlpbVpDWTRBTDJ6K2hmcUIrWEhEdU1EY3k1Q1paaEFjSnRBekhnZStOM29P%0D%0AaXc9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48L2RzaWc6U2lnbmF0dXJlPjxzYW1s%0D%0AOlN1YmplY3Q%2BPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRj%0D%0AOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50IiBOYW1lUXVhbGlmaWVy%0D%0APSJlb24tYXBwcy5jb20iIFNQTmFtZVF1YWxpZmllcj0idXNlcnBvcnRhbC5lY3Qt%0D%0Ac3lzLm5ldCI%2BNDJkMTk5OWNhMDc4YWZiOGIxNmJmM2JmMGY0OTg3NzVhNWZmYzRi%0D%0AMzwvc2FtbDpOYW1lSUQ%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9%0D%0AInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1%0D%0AYmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNC0wMi0yN1Qx%0D%0AMDo0Mzo0MVoiIFJlY2lwaWVudD0iaHR0cDovL3VzZXJwb3J0YWwuZWN0LXN5cy5u%0D%0AZXQiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48%0D%0Ac2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0yN1QxMDo0MDo0MVoi%0D%0AIE5vdE9uT3JBZnRlcj0iMjAxNC0wMi0yN1QxMDo0Mzo0MVoiPjxzYW1sOkF1ZGll%0D%0AbmNlUmVzdHJpY3Rpb24%2BPHNhbWw6QXVkaWVuY2U%2BdXNlcnBvcnRhbC5lY3Qtc3lz%0D%0ALm5ldDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48%0D%0Ac2FtbDpPbmVUaW1lVXNlLz48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0%0D%0AYXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDItMjdUMTA6MTQ6NDlaIiBTZXNz%0D%0AaW9uSW5kZXg9IkEzRTc3NDFFOUUwMTVFNTI2NzI0RkZGRUNGRTE5OEFFQzk4QzNE%0D%0AN0JBIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE0LTAyLTI3VDE4OjE1OjQ5WiI%2B%0D%0APHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVy%0D%0AbjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9z%0D%0AYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9z%0D%0AYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2Ft%0D%0AbDpBdHRyaWJ1dGUgTmFtZT0iZW9ubGRhcGRuIiBOYW1lRm9ybWF0PSJ1cm46b2Fz%0D%0AaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2Ft%0D%0AbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5jbj1CMTU4NDcs%0D%0Ab3U9dXNlcnMsb3U9ZWVhLG89ZW9uLGM9ZGU8L3NhbWw6QXR0cmlidXRlVmFsdWU%2B%0D%0APC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1l%0D%0ARm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9y%0D%0AbWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3Ry%0D%0AaW5nIj5CMTU4NDc8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sOkF0dHJpYnV0%0D%0AZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24%2BPC9z%0D%0AYW1scDpSZXNwb25zZT4%3D&RelayState=http%3A%2F%2Fuserportal.ect-sys.net%2F%3Fwa%3Dwsignin1.0
and decoded using https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://userportal.ect-sys.net" ID="I11252B54A420403870018FAC4D9BCE982E3B4AF1" IssueInstant="2014-02-27T10:41:41Z" Version="2.0">
<saml:Issuer>eon-apps.com</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#I11252B54A420403870018FAC4D9BCE982E3B4AF1">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>xiAaNrpT002QtYtKQEEzBC4SFy4=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ZrJLOKXEYt8rfC2xomLKsSyPPNemt5HigaH2vQSs0cr6HX4LPteMkDeucNGRQDT9ZXWeH6CCR/u16cHr3jSiuEp0hUOYoIVFLLrTDvuZ+wfH198Jw3J9ygkyf8tczymjkgOqH/EnVEL94iIBCX8BJrKj+HL25S7buy0p5FpskSq+7TWtDeERcsAaZcFrWHUt4rAgjZNixXEIxM76WjcTp8s8GbaSl3EloBVQ+1voTr9vaJK8qu0nu1yRnTh0l45vKh5gnaqFSG5p9mkZbHxIGCHMDEG+g/n+54OpJzGCE6efPOucji9kn7tVL2bZFILb1umhMfYcqlxSnziAQ1P+vQ==</dsig:SignatureValue>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="A3E7741E9E015E526724FFFECFE198AEC98C3D7BA" IssueInstant="2014-02-27T10:41:41Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>eon-apps.com</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#A3E7741E9E015E526724FFFECFE198AEC98C3D7BA">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs xsi"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>okmScCUFvU6pDHtcmgyPB3j0CKI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>uvSOP2AiPSNaz7e5VynQoPsDn5YvsQsUu8G46S2a10x0kMmlcusil2SgEaeZGePJorLdvXw+U+Ntpkkl85E5bSYjImJP2ymXY08ZT/i+WiJPgBoR/8lrjKw3pNcIRxQ4tBiXx96m4VOpbTsJe4jGcW7lpRsVtreYG4G4ZNNiSUZGk9Q/5GMG2hcM9qK60PXzP7Y9q3KJAm4CZE4I6wlxYOctjtq9T5NjavPwMmWVpi2FCtmamb5ywhnsYgC7oLsbqV/tpbQgLC3UvJfNMYj1Fg0oTVt7LMugSmGx1IMUyimZCY4AL2z+hfqB+XHDuMDcy5CZZhAcJtAzHge+N3oOiw==</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="eon-apps.com" SPNameQualifier="userportal.ect-sys.net">42d1999ca078afb8b16bf3bf0f498775a5ffc4b3</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-02-27T10:43:41Z" Recipient="http://userportal.ect-sys.net"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-02-27T10:40:41Z" NotOnOrAfter="2014-02-27T10:43:41Z">
<saml:AudienceRestriction>
<saml:Audience>userportal.ect-sys.net</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-02-27T10:14:49Z" SessionIndex="A3E7741E9E015E526724FFFECFE198AEC98C3D7BA" SessionNotOnOrAfter="2014-02-27T18:15:49Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="eonldapdn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">cn=B15847,ou=users,ou=eea,o=eon,c=de</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">B15847</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
but this is not giving me an Identity, despite the fact that the SAML reposnse has a valid user in the token.
Any ideas?
Are there any example projects on the web of SAML2 integration with .net 4.5.1?
Do i need to create a custom SAML2ToeknHandler inheriting from Saml2SecurityTokenHandler?
You are using the SAML2 protocol (saml2p) - .NET/WIF does not support that - only the SAML2 token - that's a big difference.
I'm trying to consume an external web service (as far as I can see it is an axis2/apache service) with a .NET 3.5 WCF client.
The service expects incoming messages to be signed and encrypted using x509 certificates. Signing and encrypting seems to work so far, but WCF adds a second <signature> element in the SOAP header, which confuses the remote web service.
I am unable to get rid of this second signature element. What I found while researching the matter is, that this signature is used to sign the first signature.
My WCF configuration currently uses a custom binding with the following security settings:
<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
authenticationMode="MutualCertificate"
securityHeaderLayout="Lax"
defaultAlgorithmSuite="Basic128"
includeTimestamp="false"
keyEntropyMode="CombinedEntropy"
requireDerivedKeys="false"
messageProtectionOrder="SignBeforeEncrypt"
requireSignatureConfirmation="true">
Anybody has an idea as what I have to change to make this work?
A sample SOAP request generated by my client looks like this:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<e:EncryptedKey Id="uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... --></o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue><!-- ... --></e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- ... --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- ... --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- ... --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- ... --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9618ae47-8bcd-4a96-b56e-800759a0ee57-7"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<e:CipherData>
<e:CipherValue><!-- ... --></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Turns out I was using the wrong messageSecurityVersion value. With a value of WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 only a single signature is added to the SOAP header.
Afterwards the server was able to understand the requests. Some tweaks to the defaultAlgorithmSuite and now service and client are talking and understanding each other.
What is the best/doable way to implement SOAP, ws-security in C#.
These are the required security tokes as per documentation
–
Required Security
Tokens
•Username Token (username, password, timestamp and nonce)
•User cert
•Server cert
In the past When I created a SAOP+ HTTP request, I used a stringbuider and appended the request
stringbuilder sb = new stringbuilder();
Then finally used HTTPWebrequest.create(url) and then a HTTP post.
Any hints on how to start would help. Can anyone point me to some tutorials. I have used a certificate generating tool to generate a certificate.
I haven't really understood a good way to do this even after 3days of research and fiddling with certificates and web.configs
here's an example of a sample request in the documentation
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/TEST/mhs/" xmlns:urn="urn:hl7-org:v3">
<soapenv:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(signed user MLS cert).......</wsse:BinarySecurityToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( MLS web-service end-point public cert)........</wsse:BinarySecurityToken>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">
<wsse:Username>....your_username.....</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>
<wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>
<wsu:Created>2010-09-15T18:00:30Z</wsu:Created>
</wsse:UsernameToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wRUq.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>