Last post Jun 23, 2014 01:30 PM by cippede
Jun 03, 2014 07:04 PM|cippede|LINK
I am working on an interoperability issue concerning validation of digital signature on a referenced SAML assertion in a SOAP message produced by a Java framework and consumed by a .NET framework. The client framework is .NET 4.5. The provider framework
uses Apache WSS4J (with OpenSAML libraries). The SAML confirmation method is Sender-Vouches. The SAML assertion itself is referenced in the SOAP message using the wsse:SecurityTokenReference element with a KeyIdentifier element. We have determined through
testing that the error is caused by use of the "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"
algorithm in the transforms on the SAML reference. I am aware of KB 974842 and hotfix for what seems to be the same issue in the .NET 3.5 framework (http://support.microsoft.com/kb/974842). I am confident that the WSS4J framework is producing a SAML assertion
that conforms with OASIS specifications. My questions:
1. Was the hotfix ported to later versions of the .NET framework?
2. Does the .NET 4.5 framework support use of the STR-Transform algorithm to resolve the SAML assertion from a reference for verification of the message-level signature on the assertion?
Thank you for your help.
Jun 06, 2014 08:01 PM|cippede|LINK
Jun 23, 2014 01:30 PM|cippede|LINK
Over the past couple weeks I have received confirmation from multiple sources that the .NET XML classes do not support a .NET client consumer of the STR-Transform algorithm specified in the OASIS Web Services Security SAML Token Profile. I would welcome
input from anyone who has found a satisfactory standards-based solution for integrating a Java message producer and a .NET client consumer using the SAML Token Profile. Thank you.