ADFS WS-Fed <-> SAML2.0 integration
kossy Jul 19, 2013 5:17 AMHi All,
we're using PicketLink 2.1.6 which acts as IdP in WS-Fed with ADFS (IdPproxy) as bearer. The latter transforms WS-Fed into SAML2 and passes it to RP.
The problem is that SAML2 requires Subject Confirmation Data (SAML 2.0 spec chap. 2.4.1.2). The error that we're getting on ADFS is:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data Exception details: System.IdentityModel.Tokens.SecurityTokenException: MSIS3121: SubjectConfirmationData element was missing in received token. at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ValidateRequestProperties(Saml2SecurityToken token) at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest) at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
We could have migrated to SAML 1.1 where SubjectConfirmationData is nonexistent, but ADFS does not support it.
Code in ADFS which causes it:
{
if
(
(
(token.Assertion == null) || (token.Assertion.Subject == null)
)
||
(
(token.Assertion.Subject.SubjectConfirmations.Count != 1) || (token.Assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData == null)
)
)
{
throw new SecurityTokenException(Microsoft.IdentityServer.Service.SR.GetString("MSIS3121", new object[0]));
}
Saml2SubjectConfirmation confirmation = token.Assertion.Subject.SubjectConfirmations[0];
if ((confirmation.Method == null) || !string.Equals(confirmation.Method.ToString(), Saml2Constants.ConfirmationMethods.Bearer.ToString(), StringComparison.Ordinal))
{
throw new SecurityTokenException(Microsoft.IdentityServer.Service.SR.GetString("MSIS3045", new object[0]));
}
}
The problem seems to be in lines 153 to 166 of saml20tokenprovider.java in PicketLink.
I've been looking for a bug report or fix, but haven't seen this problem anywhere else ?
Thank you for help