As I described in another question I build a web service that will take username/password and based on these credentials authenticate users (mobile apps) in ADFS2. My web service is configured as RP on the ADFS. ADFS issues SAML 2.0 tokens.
Here is a code of the web method:
public class MobileAuthService : IMobileAuthService
{
private const string adfsBaseAddress = @"https://<my_adfs_hostname>/adfs/services/";
private const string endpointSuffix = @"trust/13/issuedtokenmixedsymmetricbasic256";
public string AuthenticateUser(string username, string password)
{
var binding = new WS2007HttpBinding(SecurityMode.Message);
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(adfsBaseAddress + endpointSuffix))
{
TrustVersion = TrustVersion.WSTrust13
};
trustChannelFactory.Credentials.UserName.UserName = username;
trustChannelFactory.Credentials.UserName.Password = password;
var tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Symmetric);
var token = tokenClient.Issue(rst);
// do some token-related stuff
return token.Id;
}
}
When I try to run it (GET call from browser since it's configured with web http binding for this endpoint) I get the following exception:
System.ServiceModel.Security.MessageSecurityException - "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
with inner exception:
System.ServiceModel.FaultException - "An error occurred when verifying security for the message."
I guess it's related with the response signature or certificate but I have no idea how to overcome this since I'm quite new in WIF.
I've managed to (partly) solve this issue. I've changes few things in my code, but the problems seems to be related with:
/trust/13/usernamemixed
for this type of authenticationBearer
it started returning a SAML tokenHere is my most recent version:
public class MobileAuthService : IMobileAuthService
{
private const string stsEndpointAddress = @"https://<my_adfs_hostname>/adfs/services/trust/13/usernamemixed";
private const string relyingPartyAddress =
"https://<my_service_addr>/Auth.svc";
public string AuthenticateUser(string username, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential)
{
ClientCredentialType = HttpClientCredentialType.None
};
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(stsEndpointAddress))
{
TrustVersion = TrustVersion.WSTrust13
};
var channelCredentials = trustChannelFactory.Credentials;
channelCredentials.UserName.UserName = username;
channelCredentials.UserName.Password = password;
channelCredentials.SupportInteractive = false;
var tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Bearer)
{
AppliesTo = new EndpointReference(relyingPartyAddress),
ReplyTo = relyingPartyAddress,
TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
};
// to some token-related stuff (like transformations etc...)
}
}
I hope this will help people who ends up with similar problem.