Login/Register
An unsecured or incorrectly secured fault was received from the other party.(When working with SAML )
Asked Answered
Solved c#wcfweb-servicessamlfederated-identity
R

1

2

I'm new to WCF web service. currently i'm working on a federated web service with federation binding(SAML) .I took help of MSDN examples on 'SAML Token Provider'.but the problem is that i'm not able to consume the service ,when i consume it, it throws "An unsecured or incorrectly secured fault was received from the other party" with inner exception as "An error occurred when processing the security tokens in the message."

this is my web config file at server side

 <?xml version="1.0"?>
  <configuration>
   <system.web>
     <compilation debug="true" targetFramework="4.0"/>
   </system.web>
   <system.serviceModel>
     <bindings>
       <wsFederationHttpBinding>
          <binding name="Binding1">
            <security mode="Message" >
              <message negotiateServiceCredential ="false" issuedKeyType ="AsymmetricKey" 
                             issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
              </message>
            </security>
          </binding>
          <!-- Binding that expect SAML tokens with Asymmetric proof keys -->
          <binding name="Binding2">
             <security mode="Message">
                <message negotiateServiceCredential ="false"
                             issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                </message>
             </security>
          </binding>
       </wsFederationHttpBinding>
    </bindings>
    <services>
    <!--<service name="MobileInterfaceWCFService.MobileService" behaviorConfiguration="MobileInterfacebehavior">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basic_http" contract="MobileInterfaceWCFService.IMobileInterface" />
        </service>
        <service name ="MobileInterfaceWCFService.MobileService" behaviorConfiguration="MobileInterfaceWCFService.Service1Behavior">
            <endpoint address="" binding="wsHttpBinding" contract="MobileInterfaceWCFService.IMobileInterface" bindingName="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService" bindingConfiguration="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
        </service> -->
        <service name ="MobileInterfaceWCFService.MobileService" behaviorConfiguration="MobileInterfaceWCFService.SamlTokenBehavior">
            <endpoint address="" binding="wsFederationHttpBinding" contract="MobileInterfaceWCFService.IMobileInterface" bindingName="Binding1" bindingConfiguration="Binding1">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
        </service>
    </services>
    <client>
        <endpoint address="http://host-root/MobileSharedWebService/MobileSharedWebService.svc" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService" contract="ServiceReference1.ITMMobileSharedWebService" name="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService">
            <identity>
                <dns value="localhost"/>
            </identity>
        </endpoint>
    </client>
    <behaviors>
        <serviceBehaviors>
            <behavior name="MobileInterfacebehavior">
                <!--<serviceMetadata httpGetEnabled="true" />-->
            </behavior>
            <behavior name="MobileInterfaceWCFService.Service1Behavior">
                <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
            <!--    <serviceMetadata httpGetEnabled="true"/> -->
                <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>

            <behavior name="MobileInterfaceWCFService.SamlTokenBehavior">
                <serviceMetadata httpGetEnabled="true"  /> 
                <!-- 
                    The serviceCredentials behavior allows one to define a service certificate.
                    A service certificate is used by a client to authenticate the service and provide message protection.
                    This configuration references the "localhost" certificate installed during the setup instructions.
                    -->
                <serviceCredentials>
                    <!-- Set allowUntrustedRsaIssuers to true to allow self-signed, asymmetric key based SAML tokens -->
                    <issuedTokenAuthentication allowUntrustedRsaIssuers ="false" >
                        <!-- Add Alice to the list of certs trusted to issue SAML tokens -->
                        <knownCertificates>
                            <add storeLocation="LocalMachine" 
                                 storeName="TrustedPeople"
                                 x509FindType="FindBySubjectName"
                                 findValue="Alice"/>
                            </knownCertificates>
                    </issuedTokenAuthentication>
                    <serviceCertificate storeLocation="LocalMachine"
                                        storeName="My"
                                        x509FindType="FindBySubjectName"
                                        findValue="localhost"  />
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
</system.serviceModel>
<system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <handlers accessPolicy="Read, Script" />
    <security>
        <authentication>
            <anonymousAuthentication enabled="true" />
            <windowsAuthentication enabled="true" />
        </authentication>
    </security>
    <asp enableParentPaths="true" />
</system.webServer>

<system.diagnostics>
        <sources>
            <source name="System.ServiceModel"
                    switchValue="Information, ActivityTracing"
                    propagateActivity="true">
                <listeners>
                    <add name="traceListener"
                        type="System.Diagnostics.XmlWriterTraceListener"
                        initializeData= "c:\log\Traces.svclog" />
                </listeners>
            </source>
        </sources>
    </system.diagnostics>

     </configuration>

here is my config file at consumer end

<?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.serviceModel>
    <bindings>
        <wsFederationHttpBinding>
         <binding name="Binding1_IMobileInterface"  >
            <security mode="Message">
                <message issuedKeyType="AsymmetricKey"      issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
                    negotiateServiceCredential="false"  >   
                </message>
                </security>
            </binding>
        </wsFederationHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost/WCF_MobileInterface/MobileService.svc"
            binding="wsFederationHttpBinding" bindingConfiguration="Binding1_IMobileInterface"
            contract="ServiceReference1.IMobileInterface" name="Binding1_IMobileInterface">
            <identity>
                <dns value="localhost" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>
  </configuration>

Note: I have tried all the solutions which were related to same type of error/problem on stackoverflow as well as on google but was unable to fix the problem

Any quick help will be appreciated

thanks in advance

Rennes answered 4/2, 2013 at 14:14 Comment(0)
R
1

I have resolved error which i had mentioned above.I had to add following tag under my wsfederationbinding

<allowedAudienceUris>
    <add allowedAudienceUri="http://localhost/WCF_MobileInterface/MobileService.svc"/>
</allowedAudienceUris>

the uri mentioned within allowedAudienceuri attribute is the host WCF service.

Actually i got to know this was the error when I added the following tag to host WCF service's web config file(),

<serviceSecurityAudit  auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" />

under behavior tag which was mapping to my wsfederationbinding,this tag logs the exact error message within application log category within system`s eventviewer.

Note: I had enabled tracing at server and consumer level, it didnt give proper error message.but I found the issue by checking the error logs in event viewer

hope this helps someone who is struggling with similar sort of error.

Rennes answered 5/2, 2013 at 13:14 Comment(4)
Was the <allowedAudienceUris> added to the token issuing service (STS) or to the service that was secured by the STS? I am really struggling with a similar issue and can't get much progress because my logging states authentication succeeded. #20378581Putman
@atconway:The <allowedAudienceUris> section was added token issuing service(STS) and the host service has nothing to do with this. STS is the gateway for the Target Service, if the gateway service or STS is properly configured, then the target service can be easily consumed by the Client app.Rennes
If this section is omitted, does it assume 'all' are allowed? Meaning use of it creates a 'whitelist' operation? I had a hard time telling from the MSDN documentation.Putman
<allowedAudienceUris> tag is used to specify which all host services are accessible by SAML token Service, its not a whitelist for client urls. you just need to include your host /target service which u want to expose to all clients.Rennes

© 2022 - 2024 — McMap. All rights reserved.