1 Reply Latest reply on Jul 23, 2013 3:05 AM by kossy

    ADFS WS-Fed <-> SAML2.0 integration

    kossy Newbie

      Hi All,

       

      we're using PicketLink 2.1.6 which acts as IdP in WS-Fed with ADFS (IdPproxy) as bearer. The latter transforms WS-Fed into SAML2 and passes it to RP.

      The problem is that SAML2 requires Subject Confirmation Data (SAML 2.0 spec chap. 2.4.1.2). The error that we're getting on ADFS is:

       

      The Federation Service encountered an error while processing the SAML authentication request.

      Additional Data Exception details: System.IdentityModel.Tokens.SecurityTokenException: MSIS3121: SubjectConfirmationData element was missing in received token.   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ValidateRequestProperties(Saml2SecurityToken token)   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

       

      We could have migrated to SAML 1.1 where SubjectConfirmationData is nonexistent, but ADFS does not support it.

      Code in ADFS which causes it:

      if (token != null)
      {
      if
      (
      (
      (token.Assertion == null) || (token.Assertion.Subject == null)
      )
      ||
      (
      (token.Assertion.Subject.SubjectConfirmations.Count != 1) || (token.Assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData == null)
      )
      )
      {
      throw new SecurityTokenException(Microsoft.IdentityServer.Service.SR.GetString("MSIS3121", new object[0]));
      }
      Saml2SubjectConfirmation confirmation = token.Assertion.Subject.SubjectConfirmations[0];
      if ((confirmation.Method == null) || !string.Equals(confirmation.Method.ToString(), Saml2Constants.ConfirmationMethods.Bearer.ToString(), StringComparison.Ordinal))
      {
      throw new SecurityTokenException(Microsoft.IdentityServer.Service.SR.GetString("MSIS3045", new object[0]));
      }
      }

       

      The problem seems to be in lines 153 to 166 of saml20tokenprovider.java in PicketLink.

       

      I've been looking for a bug report or fix, but haven't seen this problem anywhere else ?

       

      Thank you for help