Issue With Certificates In WsFederation Middleware

May 8, 2014 at 9:46 AM
I'm having multiple issues setting my certificates for validating signatures and for decryption in the Microsoft.Owin.Security.WsFederation Middleware.

Issue 1 - Decryption
The error message I receive is
IDX10201: None of the the SecurityTokenHandlers could read the 'securityToken':

I have an X509Certificate2 object but I don't know where to set it. I've tried IssuerSigning... Key, Keys, Token and Tokens in TokenValidationParameters but always get the same error

Issue 2 - Signature Validation
I'm pointing to a federation metadata document (Which contains the signing public key) but for added piece of mind I want to only validate against a certificate saved on the RP. I therefore set IssuerSigningKey, Keys, Token or Tokens in TokenValidationParameters to the Signing Cert in the RP but with any of these set "RedirectToIdentityProvider" fires but I never see the login page in my browser. If I Remove "Metadataaddress=" and manually set "IssuerAddress=" then everything works including Signature Validation. Is there no way to use the Metadata document but override the valid certificate for validating signatures?
May 28, 2014 at 5:36 PM
For Issue 2 - We assume that the Metadata is trusted, along with anything you add in the TokenValidationParameters. The combine set is (or soon will be) used to validate incoming tokens.
May 28, 2014 at 11:09 PM
Thanks for clarifying this issue. As it stands I've felt it best to simply not use Metadata documents and assign everything manually. That way a DNS Poison attack won't render the infrastructure insecure as there will be no way to introduce another trusted cert without access to the server.
It might be a nice feature to introduce a switch (Ignore Metadata Cert) for the overly cautious like myself so we can still enjoy the ease of updating endpoints across RPs without the added security concern.

I've still not worked out a simple place to set the cert for decryption so if this becomes available I'd be very interested.
May 29, 2014 at 3:38 PM
For Signature Validation you can use: TokenValidationProperties.IssuerSigningKey = new X509SecurityKey(cert).
For reading as Saml or Saml2, for now, you will need to use the .Net 45 library Saml2SecurityTokenHandler or SamlSecurityTokenHandler. You will need to set the Configuration property on these before reading. The current implementation will validate signatures during the read and you will need to set: Configuration.IssuerTokenResolver (contains signing key) and ServiceTokenResolver (contains encryption key).

We don't support reading of SAML's just yet.
May 29, 2014 at 10:24 PM
Is this Saml2SecurityTokenHandler needs to be configured on WsFederationAuthenticationOptions as one of the SecurityTokenHandlers?
May 29, 2014 at 10:51 PM
The response I receive is " None of the the SecurityTokenHandlers could read the 'securityToken'". Basically, I set SecurityTokenHandlers on WsFederationAuthenticationOptions and replaced Saml2SecurityTokenHandler to include valid ServiceTokenResolver and IssuerTokenResolver. Doesn't work. The exception message also shows the <EncryptedAssertion>...</EncryptedAssertion> and I tried to decrypt it using same Saml2SecurityTokenHandler I put into OWIN SecurityTokenHandlers. It worked. So, looks like I am not setting some OWIN WsFederationAuthenticationOptions setting properly. Any direction where to go from here?
May 29, 2014 at 10:55 PM
Just to be clear: Saml2SecurityTokenHandler can read encrypted assertion, but when I use it with OWIN SecurityTokenHandlers - it returns me an error: None of the the SecurityTokenHandlers could read the 'securityToken'
May 30, 2014 at 12:13 AM
Also, I noticed that there is extension Microsoft.IdentityModel.Extensions.Saml2SecurityTokenHandler, is that what should be used instead of System.IdentityModel.Tokens.Saml2SecurityTokenHandler?
Jul 9, 2014 at 10:42 PM
I updated to the wsfederation rc1 today. We used the .net 4 WIF STS Wizard to setup our previous project. It's works great, but I cannot make this work.
I don't know what I need or don't need to make this work, and I'm trying anything.
I still get the same error as the OP if I don't setup the SecurityTokenHandler.
I created two X509Certificate2 and loop through the certificates to get those, and I set the security tokens whether I need them or not.
I create the X509SecurityTokenHandler, but I don't know how to setup the handler.
If I publish with this handler setup I get "Object reference not set to an instance of an object. " So I know it's not initialized correctly.
public void ConfigureAuth(IAppBuilder app) {
        X509Certificate2 certADFS = new X509Certificate2();
        X509Certificate2 certATServer = new X509Certificate2();
        System.IdentityModel.Tokens.TokenValidationParameters MyTVP = new System.IdentityModel.Tokens.TokenValidationParameters();
        X509SecurityToken stATServer = new X509SecurityToken(certATServer);
        X509SecurityToken stADFS = new X509SecurityToken(certADFS);
        List<SecurityToken> mySigningTokens = new List<SecurityToken>();
// Is the Issuer the ADFS server? Does the server certificate go in the TokenValidationParameters at all? I tried both.
        MyTVP.IssuerSigningTokens = mySigningTokens;
        MyTVP.IssuerSigningKey = new X509SecurityKey(certATServer);

        X509SecurityTokenHandler x509STH = new X509SecurityTokenHandler();

        var AdfsOptions = new WsFederationAuthenticationOptions();

        AdfsOptions.Wtrealm = "";
        //AdfsOptions.Wreply = "";
        AdfsOptions.MetadataAddress = "";
        //AdfsOptions.IssuerAddress = "";
        AdfsOptions.Caption = "Employee SignIn";
        AdfsOptions.TokenValidationParameters = MyTVP;
// At this point do I add the newly created handler to the SecurityTokenHandlers?
// I think the token resolver needs to know about the tokens, but not sure.
        SecurityTokenResolver resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(mySigningTokens.AsReadOnly(), true);
        SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
// I have no clue how to configure these handlers.
        AdfsOptions.SecurityTokenHandlers.Configuration.IssuerTokenResolver = resolver;
        AdfsOptions.SecurityTokenHandlers.Configuration.ServiceTokenResolver = resolver;
// I tried the AuthenticationType to get the form, but it doesn't work
        //AdfsOptions.AuthenticationType = "urn:oasis:names:tc:SAML:1.0:am:password.Federation";
        AdfsOptions.AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive;