Change the STS server programmatically in a METRO SOAP Client - soap

Is it possible to change the Secure Token Server that my client uses to during runtime?
I got a working METRO 2.3 client for a .NET Service that is secured using the Security Token Service of the Active Directory Federation Services.
Everything is configured using xml fles.
The service offers two identical servers. One for testing and one for production.
Is it possible to switch the server at runtime?
My shortened wsit-client.xml:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/">
<import location="mex.xml" namespace="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"/>
<import location="myservice.svc.xml" namespace="http://namespace.org/"/>
</definitions>
And the important part of my mex.xml:
<wsdl:definitions name="SecurityTokenService"
targetNamespace="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:wsa10="http://www.w3.org/2005/08/addressing"
xmlns:wsp1="http://www.w3.org/ns/ws-policy"
xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client">
<wsdl:service name="SecurityTokenService">
<wsdl:port name="IssuedTokenWSTrustBinding_IWSTrust13Async" binding="tns:IssuedTokenWSTrustBinding_IWSTrust13Async">
<soap12:address location="http://login.test.miljoeportal.dk/adfs/services/trust/13/issuedtokensymmetricbasic256sha256"/>
<wsa10:EndpointReference>
<wsa10:Address>http://login.test.theserver.com/adfs/services/trust/13/issuedtokensymmetricbasic256sha256</wsa10:Address>
<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>THECERTIFICATE</X509Certificate>
</X509Data>
</KeyInfo>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
<wsp1:Policy wsu:Id="IssuedTokenWSTrustBinding_IWSTrust13AsyncPolicy">
<wsp1:ExactlyOne>
<wsp1:All>
<tc:PreconfiguredSTS wspp:visibility="private"
endpoint= "http://login.test.theserver.com/adfs/services/trust/13/username"
wsdlLocation="https://login.test.theserver.com/adfs/services/trust/mex"
metadata= "https://login.test.theserver.com/adfs/services/trust/mex"
serviceName="SecurityTokenService"
portName="UserNameWSTrustBinding_IWSTrust_13Async"
wstVersion="http://docs.oasis-open.org/ws-sx/ws-trust/200512"/>
</wsp1:All>
</wsp1:ExactlyOne>
</wsp1:Policy>
</wsdl:definitions>
Is it possible to change the http://login.test.theserver.com urls to http://login.prod.theserver.com during runtime?

It is possible to set these parameters like this:
MyServices s = new MyService();
myserviceinterface = s.getMyService();
Map<String, Object> context = ((BindingProvider) myserviceinterface ).getRequestContext();
context.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "http://service.theserver.com/wsdl");
String stsEndpoint = "http://login.theserver.com/adfs/services/trust/13/username";
String stsWSDLLocation = "https://login.theserver.com/adfs/services/trust/mex";
String stsServiceName = "SecurityTokenService";
String stsPortName = "UserNameWSTrustBinding_IWSTrust13Async";
String stsNamespace = "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice";
context.put(STSIssuedTokenConfiguration.STS_ENDPOINT, stsEndpoint);
context.put(STSIssuedTokenConfiguration.STS_NAMESPACE, stsNamespace);
context.put(STSIssuedTokenConfiguration.STS_WSDL_LOCATION, stsWSDLLocation);
context.put(STSIssuedTokenConfiguration.STS_SERVICE_NAME, stsServiceName);
context.put(STSIssuedTokenConfiguration.STS_PORT_NAME, stsPortName);
I have not found a way to change the keystore settings in runtime.

Related

SAML Single logout through OKTA

I have got the following SP's Request and IDP's reponse:
<samlp:LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" Destination="https://dev-nnn.oktapreview.com/app/somename_hped800eportal_1/exk8dlkd0tCutHWlj0h7/slo/saml" ID="_af6eaa4a-9d5b-41ce-b265-d39dfdc5248e" Version="2.0" IssueInstant="2016-10-14T12:31:59Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="http://www.w3.org/2005/Atom">https://HPED800E:444/SynPortal/login.aspx</saml:Issuer><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">CDA_Main\hjami</saml:NameID><samlp:SessionIndex>_d9f07562-3a7f-4c03-a62d-8a985f34058f</samlp:SessionIndex><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>bBbMvzSjRc0zc1jtIxmqmkO4bYo=</DigestValue></Reference></SignedInfo><SignatureValue>...5g==</SignatureValue><KeyInfo><X509Data><X509Certificate>...Cw==</X509Certificate></X509Data></KeyInfo></Signature></samlp:LogoutRequest>
<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://hped800e:444/SynPortal/logout.aspx" ID="id50277036872307661186452042" InResponseTo="_1eef2809-b49e-412e-a0c5-3596e3c0b158" IssueInstant="2016-10-14T00:32:05.949Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk8dlkd0tCutHWlj0h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id50277036872307661186452042"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>3k7z8GF3kBemyYm+6+mEbZMSAYw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...MA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>...VNm</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>
the request is encoded base-64 and then sent via post binding.
I am getting the AuthnFailed response.
I have set up only one sp for the IDP for simplicity.
Does anyone know what I am doing wrong here?
This information is insufficient to determine as what has gone wrong in your implementation for single logout. Can you please provide following information
1) Your single logout settings in Okta that can be found under SAML Settings -> Advanced Settings under General tab of your app?
2) Based on above settings please make sure you have uploaded certificate to Okta?
3) Which SAML toolkit are you using? Can you provide toolkit settings for your toolkit?
See the working SLO request below.
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_d2be8c5de3aeeeac27c8xxxxyyyy"
Version="2.0"
IssueInstant="2016-04-27T16:15:06Z"
Destination="https://org-name.okta.com/app/simplesamlphpexample/exk4xxyyPcvdVq70x7/slo/saml"
>
<saml:Issuer>http://localhost:8888/simplesamlphp/www/module.php/saml/sp/metadata.php/example-okta-com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_d1be8c5dc2aeeeac27c8daf04b7xxxyyy6b36287bd6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>{{some_value}}</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>{{some_value}}</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>{{some_value}}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">{{email}}</saml:NameID>
<samlp:SessionIndex>{{some_value}}</samlp:SessionIndex>
Comparing the SLO settings for your request and mine few things stood out.
1) CanonicalizationMethod Algorithm in my case is set to http://www.w3.org/2001/10/xml-exc-c14n#. Yours is http://www.w3.org/TR/2001/REC-xml-c14n-20010315.
2) Name ID in your case is "CDA_Main\hjami". Can you please let me know which attribute in Okta is this? Also, have you overridden the userName of your app using the mappings from Okta to app (under profile editor -> your app mappings). For example, I am overriding the app userName from Okta login/email to be custom attribute.
If you are using another attribute (whose value is set to CDA_Main\hjami) from Okta as the username of the app, please make sure that you are overriding it like I am doing in the screenshot above.
I also had a hard time in making this Logout request successfully.
Here is the solution that worked for me:
You'll need the following keys:-
(a) Service provider's (your application's) private key, e.g. sp-pvt-key.pem
(b) Service provider's public key, e.g. sp-pub-key.pem
Note: You can generate these keys via openssl from your terminal.
Steps:
Provide SP's private key on SAML's configuration strategy in you application's code.
Upload SP's public key on okta's logout configuration.
Now you'll get successful logout response.

iphone calling web service with manually encrypted message

I'm developing an ios app which will invoke a web service operation. The existing web service is configured with wsHttpBinding security set as TransportWithMessageCredential.
I've used wsdl2objc to generate the implementation files (from wsdl) and have setup a small app for testing purposes. I'm not able to get the app to talk to the web service correctly though, and from what I've read it seems virtually impossible with these web config settings (wsHttpBinding, Transport and Message security).
I've done quite a bit of research, and with the help of information found on this site (and others), I've managed to find out what SOAP requests should look like. I basically used WCF Test Client with Fiddler monitoring the traffic. I also tried soapUI, which wasn't as successful as I'd hoped.
I did setup a test web service locally and I can successfully consume, but only when the web config has security using BasicHttpBinding or wsHttpBinding security mode = "none" (which I understand is just like basicHttpBinding).
My solution (I hope) is...what if I write a web service to call this web service? Both web services will reside on the server, but the one the iphone will consume is configured with SSL. The idea is then to manually encrypt the operation (and necessary attributes) using an ios security framework (HMAC) or other hashing algorythm, and have the SSL web service decrypt and then invoke the requested operation from the existing web service. Does this make sense? I'm thinking this seems too simple, that I must be missing something. Does anyone see any real problem with this?
Thanks.
Edit I just wanted to clarify my situation a little: My app is not able to consume the existing web service as it is configured. My thought was to create a web service which will talk with this one. The new web service will simply decrypt the incoming data and invoke a method on the existing web service. Once a response is received, the new web service will encrypt the data and send it back to the iphone app. Sorry if I'm not being clear.
Update
Here is the soap envelope (from Fiddler):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IService/ValidateMe</a:Action>
<a:MessageID>urn:uuid:81d70393-5356-4e3a-b209-49ea53068935</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://mibe.stpa.com/WCFService/IVService.svc/ValidationService</a:To>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2013-02-10T04:48:18.646Z</u:Created>
<u:Expires>2013-02-10T04:53:18.646Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc" u:Id="uuid-0191ec20-905d-4ef0-a818-3eced0e02ecf-32">
<c:Identifier>urn:uuid:06bd1d3e-97e5-41bc-afce-3993736f202d</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>/RpEprwYbnSypHXVF/rdxn3nkRo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>ya8hHooO129dNOHplhY3xRndoDk=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-0191ec20-905d-4ef0-a818-3eced0e02ecf-32"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<ValidateMe xmlns="http://tempuri.org/">
<memberId>950470173</memberId>
</ValidateMe>
</s:Body>
</s:Envelope>

How to Display WCF Web HTTP Service Help Page like asmx in .net framework 3.5

How do I Display WCF Web HTTP Service Help Page like asmx in .net framework 3.5
There is no exact page available but you can use WCF utitlity available with Visual Studio 2010.
Use WCFTestClient.
Open Visual Studio 2010 command prompt
Type WcfTestClient ( It open window)
Add Service option
Add url like http://localhost:8732/Design_Time_Addresses/WcfServiceLibrary1/Service1/mex
you can replace with your hosted service.
Hope this help.
https://msdn.microsoft.com/en-us/library/ee230442(v=vs.110).aspx
http://www.c-sharpcorner.com/UploadFile/dhananjaycoder/enabling-help-page-for-rest-service-in-wcf-4-0/
(I'm literally paraphrasing these links)
Add a description attribute to method, and probably WebGet as well, like:
[OperationContract]
[WebGet(UriTemplate="/template1", BodyStyle = WebMessageBodyStyle.Bare)]
[Description("Description for GET /template1")]
SyndicationFeedFormatter GetTemplate1();
Expose the endpoint via web.config...
<endpointBehaviors>
<behavior name="RESTEndpointBehavior">
<webHttp enableHelp="true"/>
</behavior>
</endpointBehaviors>
<!-- ... -->
<services>
<service behaviorConfiguration="RESTWebServiceBehavior" name="RESTWebService"> <endpoint address="" kind="webHttpEndpoint" behaviorConfiguration="RESTEndpointBehavior" contract="IHello" />
<!-- ... -->
</service>
</services>
...or in code
using (WebServiceHost host = new WebServiceHost(typeof(Service), new Uri("http://localhost:8000/Customers")))
{
host.AddServiceEndpoint(typeof(ICustomerCollection), new WebHttpBinding(), "");
host.Description.Endpoints[0].Behaviors.Add(new WebHttpBehavior { EnableHelp = true });
// ...
}

Hand-crafted WSDL from XSD fails in CXF: the namespace on the "QueryResponse" element, is not a valid SOAP version

I have a web service that follows some of the semantics of a SOAP service, but they don't provide a WSDL for said service. Instead, they provide an XSD, by which I'm reverse-engineering a WSDL out of. Things seemed to be going well, even so far as to be able to
create a WSDL
Import the XSD as part of the WSDL using the xsd:import tag
Create Java wrappers with CXF
Call the service.
Now, what I get when I call the service is an exception:
INFO: Creating Service {http://service.something.net/xml}QueryService from WSDL: file:/C:/mydocs/Work/project/my-service.wsdl
Aug 09, 2011 1:22:34 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://service.something.net/xml}QueryService#{http://servicesomething..../xml}QueryRequest has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: "http://service.something.net/xml", the namespace on the "QueryResponse" element, is not a valid SOAP version.
The WSDL can be found in this gist, and the XSD is something I got from the vendor.
What does the error mean? What might I have done wrong in my .wsdl file generation?
Edit 1
I have manually tested the service from the vendor service, and the response seems okay to me:
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
<Body>
<QueryResponse xmlns="http://service.something.net/xml">
....
</QueryResponse>
</Body>
</Envelope>
Unless I'm missing something, there should not be any reason why CXF even wants the QueryResponse to be a SOAP element, since it's namespace isn't SOAP but http://service.something.net/xml.
Where you are importing your XSD:
<wsdl:types>
<xsd:schema targetNamespace="http://service.something.net/xml">
<xsd:include schemaLocation="My-XSD.xsd" />
</xsd:schema>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:import namespace="http://service.something.net/xml"
schemaLocation="My-XSD.xsd">
</xsd:import>
</xsd:schema>
</wsdl:types>
try this instead:
<wsdl:types>
<xs:schema targetNamespace="http://service.something.net/xml"
elementFormDefault="qualified">
<xs:import schemaLocation="My-XSD.xsd"/>
</xs:schema>
</wsdl:types>
Basically you shouldn't need the include, just the import. Also you want to specify fully qualified element form.
Hope this works.

How change name in WSDL generated by Zend_Soap_AutoDiscover

I am trying connecting PHP soap server with client written in C#.
WSDL is created in that way:
$autodiscover = new Zend_Soap_AutoDiscover('Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex');
$autodiscover->setClass('Soap_Service1');
$autodiscover->handle();
then I receive:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://www.xx.de/soap/version/1"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
targetNamespace="http://www.xx.de/soap/version/1"
name="Soap_Services1"
>
this 'name="Soap_Services1"' attribute parsed in C# looks ugly (Services.Soap_Services1Service). Of course name is connected with ServiceBinding and PortType. Is there any way to change it without manually hacking zend library?
Yes. Just rename your service class ;)
$autodiscover->setClass('CoolServiceName');
will give you
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://www.xx.de/soap/version/1"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
targetNamespace="http://www.xx.de/soap/version/1"
name="CoolServiceName"
>
Since you're using the autodiscover / magical soap service creator, you can't override the names it creates as-is.
If you want to do this you can extend Zend_Soap_AutoDiscover and implement your own setClass method that uses your own name choice while generating the wsdl.
All you need to do is rename your service class (the one set by the setClass() call) and you're good.