Cannot serialize Saml2AssertionKeyIdentifierClause

Question

I'm attempting to put together a claims-aware WCF service and client.

I'm using the thinktecture Identity Server, and I've put together a console client by looking at the "Using a token with WCF/SOAP" example:

var token = GetSecurityToken();

var binding =
    new WS2007FederationHttpBinding(
        WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;

var factory =
    new ChannelFactory<IService1>(
        binding,
        new EndpointAddress("https://localhost:44301/Service1.svc"));
factory.Credentials.SupportInteractive = false;

factory.ConfigureChannelFactory();

var service = factory.CreateChannelWithIssuedToken(token);
var result = service.GetData(42);

I have (what looks like) a valid token from the STS.

However, it throws an exception in the call to GetData, as follows:

There was an error serializing the security key identifier. Please see the inner exception for more details.

The inner exception is as follows:

The token Serializer cannot serialize 'System.IdentityModel.Tokens.Saml2AssertionKeyIdentifierClause'. If this is a custom type you must supply a custom serializer.

The only mention of this problem that I can find is this one on the MSDN forums, but that's only slightly related.

Looking in the debugger, it appears that the endpoint behaviours include (eventually) a Saml2SecurityTokenHandler, which that other link implies is all that's needed.

What am I missing?

Because I'm not in a place to verify that your answer actually works... — Roger Lipscombe, Aug 06 '15 at 10:54

Ajden Towfeek · Answer 1 · 2015-08-06T10:24:57.537

8

I had the exact same problem just now when I upgraded from startersts to identityserver v2 and switched from saml1.1 to saml2.

I do not generate my proxies so what solved my problem was to simple set Credentials.UseIdentityConfiguration to true on my channel factory. Perhaps this is not done by default if you generate your proxies? Or if you use your custom ChannelFactory you maybe just forgot to set it as I did.

var channelFactory = new ChannelFactory<T>(endpointName);
channelFactory.Credentials.UseIdentityConfiguration = true;

var channel = channelFactory.CreateChannelWithIssuedToken(token)

...use the channel without the serialization exception now

Hope it helps, no need to add a system.identityModel section on the client side as other discussion threads suggest.

edited Aug 06 '15 at 10:24

answered May 08 '13 at 16:40

Ajden Towfeek

387
2
14

In your case just factory.Credentials.UseIdentityConfiguration = true; – Ajden Towfeek May 08 '13 at 16:41
1

factory.Credentials.UseIdentityConfiguration = true; That did the trick for me :-) – StefanHa May 30 '13 at 14:40

leastprivilege · Answer 2 · 2012-07-04T07:53:43.957

0

Is WIF enabled in your WCF service?

Make sure you have these settings in config:

In the serviceCredentials behavior - useIdentityConfiguration = true In the serviceAuthorization behavior - principalPermissionMode = always

edited Jul 04 '12 at 07:53

answered Jul 03 '12 at 16:00

leastprivilege

18,196
1
34
50

As far as I can tell, yes. I used the (new in VS2012) 'Identity and Access' tool to configure it. Maybe I'm missing something? – Roger Lipscombe Jul 03 '12 at 16:24
However, as far as I can tell (using WCF tracing), the request never even gets that far... – Roger Lipscombe Jul 03 '12 at 16:26

Cannot serialize Saml2AssertionKeyIdentifierClause

2 Answers2