Zulfiqar's weblog

Architecture, security & random .Net

X509 based proof keys with wsFederationHttpBinding

Posted by zamd on May 14, 2010

When requesting a SAML token from an STS you can also request a proof token, which you can use to proof your ownership (by signing the primary signature with the proof token) of the token to the relying party when sending a SOAP message to it. In Identity terms, this is known as Holder-Of-Key subject confirmation method.

When using Holder-Of-Key confirmation method, there are three options for proof token:

  1. Symmetric key (based proof tokens)
  2. Asymmetric key
  3. Bearer key

See this post from Vittorio on the details of proof token.

Asymmetric key based proof tokens can come in following two forms:

  1. Requestor can generate an ephemeral RSA key pair and submit the public key to the IP/STS as part of the RST request. Requestor then signs the RST request with its private key to demonstrate the knowledge of the private key.
  2. Requestor can use an existing X509 public key cert as the proof token and use the corresponding private key cert to create the supporting signature.

wsFederationHttpBinding out of box (as in .NET 4.0) only supports an ephemeral RSA key pair while certain interop scenarios require X509 based asymmetric proof keys. For example, Apache Rampart 1.4 doesn’t seem to like ephemeral RSA key pair and forces you to use X509 based asymmetric proof keys. Unfortunately today this scenario is not possible out of box with wsFederationHttBinding. WSTrustChannelFactory API in WIF however supports both RSA key pair & X509 certs and you can choose your desired key type when requesting a token but WIF is not supported on XP.

So If you are on Windows XP or can’t use WIF for some other reason, you would have to extend wsFederationHttpBinding to enable X509 based proof keys. Probably a custom endpoint behaviour and inside it you would have to tweak IssuedSecurityTokenProvider to force it to use X509 key. See this post on how to work with IssuedSecurityTokenProvider directly. In the next post, I will talk more about extending wsFederationHttpBinding to support X509 based proof keys.

One Response to “X509 based proof keys with wsFederationHttpBinding”

  1. John N. said

    I have a production STS that is issuing my client a SAML token that it signed with a X.509 certificate. My client and service is configured with a ws2007FederationHttpBinding with Asymmetric Keys. After my client receives the signed SAML token from the STS, it makes a request to the service with the token. However, the service throws a soap fault saying “Signature Validation Failed.” I’m guessing it probably fails the service is expecting a SAML that is signed with a ephemerial RSA key pair and not an X.509 is this correct? I saw the post on working with IssuedSecurityTokenProvider directly, however this looks like it is configured on the client side. I need to actually configure the service to validate the SAML token using an X.509 certificate. Any suggestions on how I would go about this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: