Authorization header in null when setting its value to an Encrypted SAML 2 token
Asked Answered
B

1

1

I'm using Thinktechture Identity Server to issue my SAML security tokens using the WS-Trust protocol. Then I'm calling my WEB Api with an Authorization http header containing the token. The token is handled successfully using Thinktechture.IdentityModel.

But when I use a certificate to encrypt the sent token (by choosing an Encrypting Certificate in the IDP RP Admin page), the request received by IdentityModel has it's Authorization header set to null (Actually the encrypted value exists inside an "InvalidHeaders" array in the request object).

Using fiddler I replaced the header value to the one I get without encryption, and replying the request works. So it's defiantly something in this header value.

This is the header value that does pass through:

IdSrvSaml <Assertion ID="_6a775e39-a369-4f11-b173-3914ffb21839" IssueInstant="2013-10-21T07:48:43.046Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://login.dev.netformx.com/IDP/issue/wsfed</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6a775e39-a369-4f11-b173-3914ffb21839"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>gj/Iad9M58yBn4US3Uu7V1GUYhOWsFT3OrrMlbtPusg=</DigestValue></Reference></SignedInfo><SignatureValue>U3nQIy/vL2bDOI8sV/YMzc5/iZPfEeFJN3WeuYRVD1sBnWGTEbaElbs3EudrO2nSBtR5EC8WJ7U2AULXm0jRnTPoxLxHxCBstnNozh/Cb82KSpSqF4JGCvAqxKjMv/T05uAylF1hFHH6qFcRG4CilMyo1X99saySVYib6QA7DHg=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDnzCCAwigAwIBAgIJANAP5k4PCG5WMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDE5ldGZvcm14IExURDELMAkGA1UECxMCSVQxFzAVBgNVBAMUDioubmV0Zm9ybXguY29tMR4wHAYJKoZIhvcNAQkBFg9pdEBuZXRmb3JteC5jb20wHhcNMTExMjE5MTI1MjM1WhcNMjExMjE4MTI1MjM1WjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn23JZTi6UMZ+iwsxCP1SGX2Py39BqBH3dDjUdZA00A8x/UWibIgcGlQkA7KNESPwEZBHT2JhebiHosHMOPWe/0lpY7N4FZ9IcMTk1iFrX1I43EEYNlhKAvAnPv1105BUdFs3HtAohqxtJ+R1e+9yUJA0M+9HCj8gotMs/MwYVTQIDAQABo4H6MIH3MB0GA1UdDgQWBBTbT+HBO+s2rhEfvESxKrwgCCx3gzCBxwYDVR0jBIG/MIG8gBTbT+HBO+s2rhEfvESxKrwgCCx3g6GBmKSBlTCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tggkA0A/mTg8IblYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA9cFQGXx2dDE9qUdeM7Y82D8Tv/hscyoHX+tu/8ToWnkLQBcfsNwaZFBRkPdeBnzavgMfZ3jage+hD2GD5YM3jfbMlZ+oKrDKDx/YP64ElQeNFqPdG6MitCVWYmM5OkL12Zm7sy/K8FBTTbj0gaRmePqYKQzK2tctOLzg3jDXCJQ==</X509Certificate></X509Data></KeyInfo></Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></Subject><Conditions NotBefore="2013-10-21T07:48:43.037Z" NotOnOrAfter="2013-10-21T17:48:43.037Z"><AudienceRestriction><Audience>https://dev.netformx.com/cloud/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>nfxtest</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>CloudReport</AttributeValue><AttributeValue>IdentityServerUsers</AttributeValue><AttributeValue>NetformxCloudUsers</AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/firstname"><AttributeValue>userfirstname                                                                         </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/lastname"><AttributeValue>userlastname                                                                        </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/companyname"><AttributeValue>companytestname</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-10-21T07:48:43.019Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>

And this is the header value when encrypting that doesn't pass through:

IdSrvSaml <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>[email protected], CN=*.netformx.com, OU=IT, O=Netformx LTD, L=San Jose, S=California, C=US</X509IssuerName><X509SerialNumber>14992454907473718870</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>JPPwxxL06myHcEadsSpEgrMVuIhvyGcb6nDQs1WEFUsjNEAdc+y9S8ISmVO17rhfaA1VJ/OZyrHcZwghltctDfkRWSylpi2/pTm1CIPZpLfVu5vEHB3VTqySEpMVffcitQhKtl7R/Cmp5t/QnbZIUBeDJn+VpjSBaFyYC0R3JsE=</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>URBfgo6BWMQ9tQZEvUvxSdRrBx7IRv5LRmLzcZEEznBa0lKpRG+Yf9lUgWFzEr76aupfc9pkgiBNzxaSvtLdl6BCqINZFirk6CcNqsygHFXOzN13iHcl7UpyarwhwrnjxF+t5XACRRWKQAVTU38M7pThlnIgcbdToiXtluDxghJcpCNDqcWu7QB1nxj/f3mPIA91uFInIdeE7ACLRUFPe+5k/3VC3rjtZgKeaccwx5A/HuHzqto+cG8f1yQ2pGbuGa3YSm8x/TkSy9IpqKRHV57lB3N7Ci+8E0BDTsafZP2RujJAeaWzgeOJGDm2nfNGMI3fgJimzUySGYimwPlwTKJ1RlWXR8Sjfan3a8OVVtByArQgqtkHM2V8oPOwEW97Axk70rK2C8Uf3qKFVaqlOh+iih5QwwDmG/9FNuSYb9B6tThwypV+ne89eGf50hC+S4Vr8AE9ftYV1DflsRDK/4LoLHZowzhyLc+muckNa88dkHxpakxX1MTrYF8SwtJzoTlfRRwpDQG9lZk15YmDTneww9Chh4RRKuH0et8q1mq0F8qBg1DWUAA8zVY/Elg5ubnR5gSqdQPl054Uens27xvW1NKOfMPcI/2iEL+kely4PuBA4DOq7y9K6vn7tcIUbLkeoUfbvlF/adD5BiQbQXBR6i+k/XLYv4nN2E9kgvPFZkqIkgnfiUSWLEnEpk2txbxSVhgDiwHkFqlGhgCnfuXDe8g+MzrwTC+k52cTcuRqpyBbKh3h2YobGNHjkcZGRGIs/I//kx7pjCuhqlxGhLhF/A3RZwhUyIcD8QZkYlFU4k4QTAUIcQURh6p4DEk213XM3MSSviERIILKMPfPh43e9lR6sYWLSQFSq+FWqZLHEeVX/f0IPUysnUAwuooq0M1WsIg/BUI7RehtiBaLLciXlwLMS6e5m6AgiveLuHtCGeAjB/friWvWCpdYMPABzX6vFD3Q5NKeiooFxNfdVGSYRn6cnLjinzhPeeREzvX78hFBeCQfcSBPSFarCKtzijaByyDbO4Y5kK9dC7bEUllQzUwuTd+ySFuZnPwQQdsS/7kHO3sXt/P48hK0BdU7I9ar0UfB4jXXRr712vjBqRoiETmHbEWssydjhUegSyoSm/tAkH2WONkvvha2gLS+L2cXk6LdsY5JTAzsedecirtrlrMiVuZ40xd6Sd5MatM99TdVDusFKuKSsefNDL0/v51Mu9CmPbrOL2eL9o6xs+UfAb2p5mB4DuOm6xI+h9jN1feLw6Cgh2TkKcsDDMVYSIk0n5g1GffPtP9LE4w11vcONEMouk8ykMIBMduoQXf0nrkPQhDuy4evxfAbE2LjfdsBDeKCg+qq9puRZ0yj/IgVlfjViXkBLs3c6wuPOiLFNL2ZN6DlyuF69JUcwFtVlzV9XZVRP15+f+ZfFV6dEzTNSZcgWKL0S+WMOlcr247knLE14jii8uhbmc/Xhfc1gPLgqT1bBfzGkx7aBlbGbItiM6I0yhCTGM4SBLhoNDo5PmhXLyXiNXD/RrvXOkFozPZ+iRVGThen1BVpkPNomiVY6gSH5+pplW+jD4jp4hnQ6OlaZNAi2WeOuslu7y0T68r8wkgKSRbmmp7TyTvXp/v/UmPP/m856S9phrP36KWdRxWaQkVVA832SC7vMt4hqGTHJPT7yWUxrAc2KnVvkHiP4OTc5GIwHf0h2sqD09wMqoKHMfJ+p5eBNSB866YQ3L+yyUGu9yKEznXrA58X7K1xK8JcnDZbeahIK4Dm4aIhAIRliWD4vI6sb3d5fnpGnlbA4GZ5xA2pzqxDRj/qraBGJIJTl1ew9XjU4NxraxT6tFDQjLLflek/dbD7HG2ssF1P0d2SpFMGSPGgjMUdxzz8ZcyVB5KG3loQlphtd4NoOfAj3ML5PNTFqKEWfMRrfcYZTPI4rRTnDQG0hjasH5sITPfczr67foPwaEAI7XE1ylQaO0eh6iDTtlaN4i2Ny8CFPejyAk3stf7cxaWobtNOCqo+s4GGmKLdtbRzQMUg+643apAm9gJd0f5AixLBAQ9NNytfQ8ZHoYnz/5EVeZhGweG9cFIjTg+Qt4ElguNCAsjuL4iixt6xEzyBsdh/mO2V3ZZmX3QHyZsh60dINngD2jNQdW/vbNqqIbHfDuhE4jtmbxIelc6NXzBft5L1VWJxunAm2t7kRwbcRRWdQNaXnE/rRPwovWPI+odNwgNPP6xamDSfh5LgCEBIwI7s4hD2RBRarCXkgP/t7fWjYB8Z5rpOnaMIAGTBknmKmlvjDG1/wWAyDTuIcg9CLaWz6A8E1DOjSnDznxp2+Vh8sLzDcQwxWrCKQ4bDNbpL3MPtn0IEL8v7gCRyRr45nyyyXePGj6uJQ3mTu3iq28DkQtcHctEUWLXxbp66ozzktrPMSUEHj0ORaH/aXDQqZarjsf99qTLPsExJDKvEofrTr/ks0/8/ojQj4uQ2ZJGzKztjuR2NTqZEWmq6blYqlT1N4RVxg/n1fUWoXlpL31DoTesySlbypNQKROTyUUxEatCX/2STqwp4mwwM+TiirgVsM3AdOGa5mQNIYh3+enJA+RjIdWzRImjxxmdLeEDkXWnoQl6w5XSHxIHKZZ03deAUQK5cRF3Sn8rOEyQGeDjiy2o7S7UL8F+fgpcuiP9NHiCsJpl7F+LQ1LNjeGDSjFWwHaAXxttIG1hXLRdFvHB5HLskdAFcgisYWpkNQoQKEt9X7aDS8x7zsQJwrCzrBaTEMh+zSHGCpwApB3iqJDWlaARyJkW9vEhROnpAQllDbGhiHif3WupwUpS02hEgjcu6vVrRuKx0OcGJbSsFRfCWK7GQRFYW5tvG+Q8IZidnXj99q1HEzaARsWrDJv+rxE7Y+6W4qYlw0cW/73O7WF94q8uo+si08oupjpw3Fi2OBWg0mlZBqoWWLk7tzRWW6tFPV2GkN7ju5U7b0vqRY4IZANxogf23VTeeyPLvcWn64locrBui8IOxLTBOnqYrcJK6yIVF/PUOqqeyQMjI9jtMw1hP/+fZ9CDpLsXm6yBBzQF6TSrTag4Z824PitoOaBBn7Vx9rvG/rU8Vu+Z68j3LyX3MBU2WhdUWqqVFsNOFlYb3Z5dySbB8U7SZ1muw+EIcF4cEcVAW7A4OszQr9MRezcUKcaYc269pMeEpbUcK+K0pR8R4DvSKP/OWYs4ajrz/lRBImCidVbeslhPeF3H3blnQa0txVXD2izlNUPUIeS2nq4FThL7DxKXzUtMwcRwJJWIhYptmHYEdLuJcQ7E5BLJM0H2KC8/YuSYEyGNj3+HfIXhwKOPSL0alJs16lvxvEzm3gMosmiwCi8hze6aRS1uxco9sYRfuIhMj2O3zZ4zV9MBUyceT7FZhMOr4CdFSKgB+aW2LJgL8ljmrBy8G8YexQh4jgc+HA+655mBd1FWxhKllLCmlGaqKMCx8oYUHkqi8ziflWLY3QRM21ZkbziRH8WYYTsoHfzb7qfV9N2/ptojDsyvLed53kWu9kpamy4dcnhtP4UU49T16V86CKDt259hs8Z5nx2VaLqCcBilLghGDdx+p/j/qq+BdaY79NUce5KXjiXfuRtvZdqSjMqLeX52Wp176ycJ9TlCEPdCezaUjjStVmufJEaAoMMnmOvjB+6Jo5Hfnn0NNCUvBQDyYYJTub33AHAO+1mfBx+kE9oWLcurXIu92iZthhl0gr32eUMG7gcSl/mTc4eJFR4L+pwMY8IlxxiFFLsNPuCQaffas/Cgi4CNNOyui0cWOLgjnbWTImxVaUUDt40vKZP7oeSgAmyb2l9wOSlat6T3qSOfW7nBnx8459ZJPUKhJxuaBTo0pqwjnEI+YPtUtOHAsw16sto58Nq0EuP1HfSgHJxrUlDuOLtK933Cnd6AoRhOveUV9QtQlOx9RJBPZ6x1Ofs0VlEkZYgFa7Ajb1GhAByEm99GMTEAATLvavFaGgCB/WmJ1HSkUsQsB953qjzyOqVEz+o88xPYEXYk6J46LO4t1INBiIjfPehJ1bjvSMbLcrnoXQmcU/7dPAmxOxYbdExv138vVnjYR0MMYaSMPAbJ2R8T/Sw8VRQtwiGX5lv7dtEQBq8d9Ybgc2SKncqgg4Kih4kz66FRafRtt7UEhvkk0j75NIPomc8/3iK3/lPuvYSHS1HHX7FpcoUZ8a3c8spFfzpGTGwUF6dbANZOVtllct5FX9AEKjX2k5rLbwNxENy2RSSmZlR+eo7LgebxygpWMr6/wEbt4CAYragkR/NMyv7SZvRpMvBe0DJ+zdwd0WmW+7iWYjy1eJdbL2iVdKa8WeNZwt+g8leZdSjzu1nidK4n3lwys9oILD5NNkN0SzT0/sY4l1n8hlHweJR5BFnQ6TXF7kbAAAxOaV9cXBUIBaLzg1Vdm62FExYrCnH7fFIaXhoLVJl0yMfttRSNDaXVkd9xRznHlOxYVEi6mDPXhB36PfBwo4x/XYs5rdc3GoUsAdlPLTJWiyQ+49rXN7PDeIFssxwFZ9cEnnY5YOks3n2pQ8aBo15ROJVo1XJ626kzZ/VR+EgsMlHCrnXgyCW2OiFP6w46c0s7MnhfnDFNPBkQg5NGxsxQ+5iLDnCkzBBxIpfGf1e6RHnoWFxXgvV7+HfwlppQWawBT+CMyuJZh8WoU+uO7N24pwpwDk43iNOi41cfNCEjfhQmhxP2HmyFuNJICZl3Xop/NP4CboE2Oiw2c4P0mW3ZX5HZVxRuW4UwlYMJxbVh0EUfVw4SK0sKkooWzxcklnR1L6g4b7KiBziKQsDQRUUQ6U4KIYABrAVBJCNeagN0lqEFJOL8n2GfelI5B1EEL9SZ7j8b3B0XlMYohYj4SHTVTPo0dTOzsp+ruTjtgpBI743R+Vp3dyaPnUsgRoLyPt0GAgkuUQfFuLLtX+w0dTeskGi9PYgKSTpmkWUEE4cYpLvhqtiKjNwX2m/OScf1JNxTEGO4SE/sA7lGQLSbZDzi+laCuMfdlLA1y5QBKuhzf0L9iFpB5/AFkkL3Jd8/2E3dMkwBuslnSvDlWXH6w92gTcnKuEPMcbl86VVTvPNNkFuOjl/nIU2AVTdHGXDjKIBXWGF8rVHKNDg+LnF4AaRKFc07H1gqrVXIDbsigmv/Ga1kd2uAZCAhtlI4cbvXT1Y8twY/CvNoq15ASm7L0HuB4wN3U/yehtnTfKO3+Dbw9eh8YqnXImCxjEP8kqP8SaR15RHc6a8g5CTo8Htrrx2GmUhqu23ASMA4l0z6eznpbG7E0n9vHM+nLOOwuTmpMPy5puVd2yUpyFKUmTMl9VFqXM5OySCv1dRAkHAbgtrEQAnsnww==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></EncryptedAssertion>

Any ideas why the Authorization heaedr doesn't pass through?

Beret answered 21/10, 2013 at 14:54 Comment(0)
E
0

The encrypted SAML has invalid characters. You need to base64 encode it.

Epithalamium answered 21/10, 2013 at 19:37 Comment(1)
This seems to be correct. But after base64 encoding the header, the request doesn't even appear to reach my IIS server (nothing in the IIS logs), as far as I can see it's because it became too large... :( I guess I'll ask a new separate question...Beret

© 2022 - 2024 — McMap. All rights reserved.