1

I've got 2 Relying Party Trusts (App1, App2) configured in ADFS, after the user's authentication following the SAML Web flow, finally App1 got a SAML Token: SamlToken1.

The current situation is, the user's browser cannot visit App2 due to a firewall, so the App2 cannot get a SAML token.

The solution I thought was using the WS-Trust through the issuedtokenmixedasymmetricbasic256sha256 Endpoint ADFS provided:

Step 1. Make the App1 act as a WS-Trust client, send a RST(Request Security Token) to ADFS (endpoint issuedtokenmixedasymmetricbasic256sha256), with the SAMLToken1 in the SOAP security header, set the ApplyTo as App2.

Step 2. ADFS returns an encrypted SAML assertion within a RSTR to App1

Step 3. App1 sends another RST to App2, set the encrypted SAML assertion as the security header.

Step 4. App2 can get the SAML token.

When doing the 1st step ADFS returns "An error occurred when verifying security for the message", the trace log of ADFS has given only "Token of type 'urn:oasis:names:tc:SAML:2.0:assertion' got successfully authenticated", no further log shown in ADFS.

I'm using SOAP UI to make the SOAP calls, I want to know how to use issuedtokenmixedasymmetricbasic256sha256 to send ADFS a SAML token for exchaning another SAML token.

RST:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <soap:Header>
        <a:Action soap:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
        <a:To soap:mustUnderstand="1">https://ADFS_URL/adfs/services/trust/13/issuedtokenasymmetricbasic256sha256</a:To>
        <o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7d723310-961e-417a-bb94-ee32dad0a48c" IssueInstant="2016-11-22T06:03:43.454Z" Version="2.0">**SAML Token 1</Assertion>
        </o:Security>
    </soap:Header>
   <soap:Body>
        <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <a:EndpointReference>
                    <a:Address>App2</a:Address>
                </a:EndpointReference>
            </wsp:AppliesTo>
            <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
            <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
            <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
        </trust:RequestSecurityToken>
   </soap:Body>
</soap:Envelope>
Liu Xingnan
  • 51
  • 6
  • Were you able to resolve this? Any information is appreciated, running into the same problem for a very similar use case. – Kabron Jan 19 '18 at 18:53
  • @Kabron Nope, I gave up at last... Maybe only guys from MS ADFS team are able to answer this question. – Liu Xingnan Jan 22 '18 at 05:51

0 Answers0