Login/Register
WS-Trust not authenticating with PHP
Asked Answered
Solved phpsoap-clientws-trust
P

2

13

It's doing my head in.... What am i missing here... must be something with the timestamp, because when i play with those i get different errors...

I've got the following envelope (which is how the provider gave it to me to use) But it keepis giving me

<s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body>

this is my code:

$c = $this->getTimestamp();
    $e = $this->getTimestamp(300);


$envelope = '
       <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
            <a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID>
            <a:ReplyTo>
                <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
            </a:ReplyTo>
            <a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To>
            <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <u:Timestamp u:Id="_0">
                    <u:Created>'.$c.'</u:Created>
                    <u:Expires>'.$e.'</u:Expires>
                </u:Timestamp>
                <o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46">
                    <o:Username>'.$username.'</o:Username>
                    <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password>
                </o:UsernameToken>
            </o:Security>
        </s:Header>
        <s:Body>
            <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                        <wsa:Address>'.$appliesTo.'</wsa:Address>
                    </wsa:EndpointReference>
                </wsp:AppliesTo>
                <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
                <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
            </trust:RequestSecurityToken>
        </s:Body>
       </s:Envelope>
       ';


        $soap_do = curl_init();
        curl_setopt($soap_do, CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed");
        curl_setopt($soap_do, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($soap_do, CURLOPT_HEADER, 0);
        curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 20);
        curl_setopt($soap_do, CURLOPT_TIMEOUT,        20);
        curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);
        curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($soap_do, CURLOPT_POST,           true );            
        curl_setopt($soap_do, CURLOPT_POSTFIELDS,     $envelope); 
        curl_setopt($soap_do, CURLOPT_HTTPHEADER,     array('Content-Type: application/soap+xml; charset=utf-8'));

        $this->payload = curl_exec($soap_do);
Portugal answered 1/7, 2015 at 11:8 Comment(0)
W
9

You are putting the current timestamp in both the Created element and the Expires element. That means that when the receiver receives the RST, the message will have expired and the receiver will be forced to reject it. Use e.g.:

gmdate("Y-m-d\TH:i:s\Z", time() + 300);

for the Expires element.

Also check for clock drift: the time on the client as well as the server should be synchronized.

Last but not least: by default ADFS 2.0 will try and encrypt the token in the response so it requires the configuration of an encryption certificate for the Relying Party. Make sure that you've configured one for the entity associated with appliesTo. The ADFS error logs should give you a hint about that error.

Weir answered 3/7, 2015 at 13:10 Comment(9)
This did not solve the problem. I've tried playing with the timestampsPortugal
added comment about synchronized timeWeir
and a comment about the encryption certificate; otherwise the code is OK and works for meWeir
The server I am talking to is form another provider. They offer no support. How can i check the time on theirs? I know my server is in sync with the nntp. Also, they show no information about the certificate, nor where I can get one. I believe it must be something like that, because my error message is different when I play with the timestamp. So i'm guessing 1 error message is about the timestamp incorrect and failing, the other it gets past it and it is that certificate problem you mention. I have no idea how to get it, or set it up with PHP... Your help would be greatly appreciated...Portugal
I just noticed that you ask for a Bearer token so an encryption certificate is not need. I removed the encryption cert on my ADFS server and ran your code successfully. You'll need to check the server settings. How did the remote server get the configuration for your appliesTo client in the first place?Weir
also: I can reproduce the error by messing up the timestamps so it is still definitely possible that there's a clock drift issue; you could use offsets that allow for more slack e.g. $c = $this->getTimestamp(-300); and $e = $this->getTimestamp(3600);Weir
As I said I have no control over the server, it's a service from another company. When I change the timestamp as you mentioned, I still get " ID3242: The security token could not be authenticated or authorized."Portugal
I could send you the actual script I have with u&p (as its public service) . Please help me at [email protected] (i can send you my script) (we could post the answer after here acoording to SO guidelines ofcourse)Portugal
Hi @renevdkooi, I would like to have a look at this problem. I will need the script to debug it though. Please look for an email from me with subject ITSBEN. Reply with the script and we will take it from there.Torytoryism
A
0

I did the following to resolve the issue. I have changed the current_time - 300 seconds and current_time + 3600 seconds

It works

Aramaic answered 29/1, 2017 at 8:43 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.