I am trying to achieve SSO to Websphere Liberty adminCenter console using SAML with WSO2 as Identity Provider. I have configured samlWebSso20 on liberty as per the settings mentioned here:
https://www.ibm.com/support/knowledgecenter/en/SSCKRH_1.0.2/platform/sso_liberty.html
However, the authorization fails at the liberty side as I receive the following error in messages.log:
CWWKS9104A: Authorization failed for user admin while invoking com.ibm.ws.management.security.resource on /. The user is not granted access to any of the required roles: [Administrator].
It seems that liberty is not able to identify roles of the user. What could possibly be wrong in my configuration?
server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>adminCenter-1.0</feature>
<feature>websocket-1.1</feature>
<feature>samlWeb-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443" />
<applicationManager autoExpand="true"/>
<basicRegistry id="basic">
<user name="admin" password="admin" />
</basicRegistry>
<administrator-role>
<user-access-id> user:ws02is510/admin</user-access-id>
</administrator-role>
<keyStore id="defaultKeyStore" password="liberty" />
<samlWebSso20 enabled="true" id="defaultSP" nameIDFormat="email" wantAssertionsSigned="false">
</samlWebSso20>
<variable name="defaultHostName" value="wasl9" />
</server>
Authenticated Response Token from WSO2:
<saml2p:Response Destination="https://wasl9:9443/ibm/saml20/defaultSP/acs"
ID="_3a43e5d918468a66dfe72be986c6655e"
InResponseTo="_qmj6w34tYpe67bP0QNHuFi6hjAyjEogS"
IssueInstant="2020-03-31T12:54:42.492Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>ws02is510</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_3a43e5d918468a66dfe72be986c6655e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>tIwEGcLKGUgicewNgegWCXirH5ma/oPYfTVeeu/eHFI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
E0yABNNUvmiDaSf3pxC3K4K/wOsvcEUA5y3uWmLi1d452LskX28ak099yZz4dDqTe+CXTTR+cM0O
gmBHPsuJLOmXjuO+UF7mAASQmL04UlU9gVyEuNYcRa37g5YFR0kzjm4iP5HWTV03xE3T0SprUahJ
QZdPy+LDBibrsF2sYy3HTel04vXzQc9h8hZJQnCMYfnS/hZXQ3mGJkfbgCIRjoDpGoHQk3gpFJlm
CgPvmkjY6+BM8rryG3Pn5F9JAoiH5j5NRbsdlvIYI334TNu21i4Se5v8dqItG3RvWwOnjlQ4j1Jy
AFP1MH6TffMhS6bEg2is9Kmyl9VVIcsDfpIIMg==
</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDVzCCAj+gAwIBAgIEKGtdMzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJQSzEQMA4GA1UE
CBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNVBAsTAklUMRIwEAYD
VQQDEwl3czAyaXM1MTAwHhcNMjAwMzI4MTgwMDM5WhcNMjAwNjI2MTgwMDM5WjBcMQswCQYDVQQG
EwJQSzEQMA4GA1UECBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNV
BAsTAklUMRIwEAYDVQQDEwl3czAyaXM1MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCOmKIT4B+pCr1HNL6VOoe2Ps+J4/nrt9L3m4I7zHc8iAiqBMdwtfPGYGefEATn+l7AduzLVfre
qS8nqJjfnjh6Jx6abCP1z3eReaVjm5GLX325JGyIbkBtGdEHo9vSj5hgr0Z6hmSdupMZCV/86bpp
rGEOkiptejZT1Qtb3RobViI2mgJbgfThaJaqFQNZALcR7WM7KPrBU4jgPBh9XZAxfBi+RqSmS3Sr
MhAQ6z+/HHb6ef9BWoFXqpFuilZnoZZZzpjGazMFPncccNlGWqBWnLr7VbFgLJFiBz+GzbcgTjo4
LLdQ7VTXixQ1VCc92fbR++ChaZIWmREAIi/IdTQ/AgMBAAGjITAfMB0GA1UdDgQWBBS4KrNDNc+w
j6RyDqRWC80ivl7UBDANBgkqhkiG9w0BAQsFAAOCAQEAgSsPOyqPUceSvg4qiL2w1isc1fKFPfR/
bEc5ZXVhl6oRfAh9rAdhwk/GATdsMx3FiDB/Tv7Q1iKENwWIbJUb/JYQvRO81sEX3o7BczhKN9Fv
5wJOKdSGz0KLxOkLz4Gj9K87fJORSKKDjy1nz+LsZdieJjN62zW16OiggTLqf13mmmSb+jE5dYHC
SUB/k9WB+oDV0A0m9pTg1WCvrttm3KKd9DZ4QrH/mZv5lzVETpGBYFNGMmA2MQ+z2NCTaatUycnn
9nPHkpoIOGQQ11z5HCvYQ20gdvJoVJ40ZDRVaqJKeeStAd49TwYFE2kdZ9udf1LNsU8MrU89QXE5
1hiUkw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_a29d997b5f5eec9a7de1dea1e0a79391"
IssueInstant="2020-03-31T12:54:42.492Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ws02is510</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_a29d997b5f5eec9a7de1dea1e0a79391">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>M6gJ6nCtngEQZvCwaFJj9mClOhtb6hWymvAHunhK3YU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Hm4yL/STOxHmksgQr7xFwlv1GAkgrb2bicUTqkiWF46zuZKaN9u1yOBqfEHHB0Q5R3nwUqju93Ce
RI+yCsf0MabDhsWThpTkuiWaEeKa1xhdMqgGIYs2G4yMYbQevrxhxe8gjPKp29A3zNLnYmDiiqHn
DSE2qdWTu1rLj9IPp3YtP5nIZX84KbRq0GbTZf3mZWfYOVwUiemTYhArZf+fhTeKdNpt52eFf2Ef
WZRQIa69a0haor1/7Adt/TLlJSwSvKn6k20It43W48aj6w905tSOmCfx2Vdmiod7ezx+o2K37SrX
M6SYPC2jKWt5AoyZ4zjhlnYiRmF0iU31KoEOng==
</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDVzCCAj+gAwIBAgIEKGtdMzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJQSzEQMA4GA1UE
CBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNVBAsTAklUMRIwEAYD
VQQDEwl3czAyaXM1MTAwHhcNMjAwMzI4MTgwMDM5WhcNMjAwNjI2MTgwMDM5WjBcMQswCQYDVQQG
EwJQSzEQMA4GA1UECBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNV
BAsTAklUMRIwEAYDVQQDEwl3czAyaXM1MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCOmKIT4B+pCr1HNL6VOoe2Ps+J4/nrt9L3m4I7zHc8iAiqBMdwtfPGYGefEATn+l7AduzLVfre
qS8nqJjfnjh6Jx6abCP1z3eReaVjm5GLX325JGyIbkBtGdEHo9vSj5hgr0Z6hmSdupMZCV/86bpp
rGEOkiptejZT1Qtb3RobViI2mgJbgfThaJaqFQNZALcR7WM7KPrBU4jgPBh9XZAxfBi+RqSmS3Sr
MhAQ6z+/HHb6ef9BWoFXqpFuilZnoZZZzpjGazMFPncccNlGWqBWnLr7VbFgLJFiBz+GzbcgTjo4
LLdQ7VTXixQ1VCc92fbR++ChaZIWmREAIi/IdTQ/AgMBAAGjITAfMB0GA1UdDgQWBBS4KrNDNc+w
j6RyDqRWC80ivl7UBDANBgkqhkiG9w0BAQsFAAOCAQEAgSsPOyqPUceSvg4qiL2w1isc1fKFPfR/
bEc5ZXVhl6oRfAh9rAdhwk/GATdsMx3FiDB/Tv7Q1iKENwWIbJUb/JYQvRO81sEX3o7BczhKN9Fv
5wJOKdSGz0KLxOkLz4Gj9K87fJORSKKDjy1nz+LsZdieJjN62zW16OiggTLqf13mmmSb+jE5dYHC
SUB/k9WB+oDV0A0m9pTg1WCvrttm3KKd9DZ4QrH/mZv5lzVETpGBYFNGMmA2MQ+z2NCTaatUycnn
9nPHkpoIOGQQ11z5HCvYQ20gdvJoVJ40ZDRVaqJKeeStAd49TwYFE2kdZ9udf1LNsU8MrU89QXE5
1hiUkw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_qmj6w34tYpe67bP0QNHuFi6hjAyjEogS"
NotOnOrAfter="2020-03-31T12:59:42.492Z"
Recipient="https://wasl9:9443/ibm/saml20/defaultSP/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-03-31T12:54:42.492Z"
NotOnOrAfter="2020-03-31T12:59:42.492Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://wasl9:9443/ibm/saml20/defaultSP</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-03-31T12:54:42.477Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks to #Piraveena and #Chunlong for supporting, specifically to #Chunlong for working out till end to help resolve issue completely. I have got it working now by making the following changes in WAS Liberty server.xml file:
Adding property realm="ws02is510" in basicRegistry tag
Adding admin under
Adding property disableLtpaCookie="false" in samlWebSso20 tag
Related
I am trying to change my login into SAML2 for a Django project. I just have a metadata URL where can I see the settings and the certificate for that.
In that metadata, there is just one certificate content and ds:SignatureValue which is generating uniquely on every request.
Do I also need a certificate key? And is there any way to get those settings directly from METADATA?
https://login.entry.com/login/saml/idp/metadata
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_895c6e0e-1111-1111-1111-4eb316fa43cc" entityID="entity.com" validUntil="2026-12-29T09:54:08.000Z">
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_895c6e0e-2920-4a24-839f-4eb316fa43cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>RfLCex+sdsafdsfddsFDS+U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FSdfsdFDSfds...==</ds:SignatureValue>
</ds:Signature>
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDezCCAmOgAwIBAgIEdKfywTANBgkqhkiG9w0Bx...==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.entity.com/login/saml/idp"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.entity.com/login/saml/idp"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
I have enabled AWS private link to access snowflake and there is no Issue with the Link, when Integrating with SSO using Jumpcloud, after login it just throws 400 Error
For Troubleshhot I have tried but they didn't work
https://support.snowflake.net/s/article/Error-400-Bad-Request-while-SSO-login-to-Snowflake
https://community.snowflake.com/s/article/Configuring-your-IDP-to-Snowflake-by-providing-required-properties-in-a-SAML-Response
This is JumpCloud SSO Setting
Here is complete SAML Response, but still getting 400 Error any Idea from snowflake troubleshooting will help to resolve this Issue
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/"
ID="AUZZ04QP5VMGW46F5YJZROMK164PY2C1QQ6XNXJJ"
InResponseTo="id-6417485141254017599_-1"
IssueInstant="2020-05-13T07:59:21.927Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2"
IssueInstant="2020-05-13T07:59:21.927Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>nxftTo6YnJGZR+qhRSJlPoMuNMMFwoxftmNAX/YDQaI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cvamdwGY/8VZ+n4gDoLoEt+z6fZCLmPuvv/u4qeYOZd/fMg28Jz7kt2FU27WDHbOkx21LEFJ/g2Mlt8X++MP8hhHNqqb8x42YZzyHTv4dmfz3xapSQ17iDJILlfsc2odr5xPjkScz+wNPxCTUsA8kCrfeTfnGJOyn7t6uq7zMh87uUmlIob04CYbV/1SZpD2Xz6Jij9UsBiP82QSbTWAs4gePDcnS0TKe0HGfkNYxhCQBlIR40tBrte4KRpxuoXo00aMXXR0f0qilfU2nvYWeZVnQFBLfFOKZmlKxuhRUyiEYr9iVTjI8uxLt9oJ/XFFC5cuZjRl1FlKExGwouGbcpHUt7Gx9XeCPlVD3z9bi33X4Hi8mwbD6uX0lcgcJQ82RbppIya+7Q0bTzSh5nCKAu+vIlTXNKlHnwM5ax7HNxfDJedcLgEpaJ0qntnH67TyjFQg/NPOb54wtjkOi9/qxnI/ND2EMnWP4O6jMlmwknLLEuW2iqgF9wBN0mM4EfmgniaUjixWVvr0aT2sFNcC7BalUkdBJWXCN6PYabm2exye4zYb2C9FyiDjzrsLYuctXCU19js1vhukIftYMG13ds+ZSL6enseFSHKqI1EYNWOogmGkgZJWOeH7BL5Xgeq5HhBn8teUvGc519p7J/2LkoGfEyJ4K0SPyTLoC1R5poA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
M=........
.................
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">anish2good#yahoo.co.in</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="id-6417485141254017599_-1"
NotOnOrAfter="2020-05-13T08:04:21.927Z"
Recipient="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/" /></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-05-13T07:54:21.927Z"
NotOnOrAfter="2020-05-13T08:04:21.927Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-05-13T07:59:21.927Z"
SessionIndex="ed8df976-6c7d-458e-ad23-1657133d3a00">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
To get SSO to work with PrivateLink, you need to contact support.
By default you can configure SSO only on Public URL or Private URL. You cannot have SSO configured for both the URls.
Also SSO by default is enabled on the Public URL. You can check this out by using the Public URL in the JumpBox configuration and confirm if this works.
So if this works and you want to have SSO over Private URL, contact support and they will enable the SSO for the PrivateLink.
I'm still kind of new to WSO2 but have successfully setup many different applications to work with it. I am running into an issue currently trying to connect our Salesforce instance with WSO2. I keep getting a validation error saying "One of the SubjectConfirmationData elements is missing a recipient field" When looking at the SAML response it is not including a recipient field at all. I'm not sure how to get it in there.
We are currently on WSO2 Carbon Version 5.1.0. Under my service provider for Salesforce I have enabled recipient validation and added urls to that list, but it still doesn't add a recipient to the SubjectConfirmationData element. Any ideas on what to do?
Here is the response:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="llikhiplnckepadmgibmamebigbbbbgfhggdbjgf" IssueInstant="2020-01-02T22:31:11.217Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.com/samlsso</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="elgkemhepilbljfckgfgchapaefibpocgjpbcnpn" IssueInstant="2020-01-02T22:31:11.217Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.com/samlsso</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#elgkemhepilbljfckgfgchapaefibpocgjpbcnpn">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>DUTHXbKOU45H9dpv81sleR8z+UZLnNBLICiyooxph0M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>blah blah blah</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>blah blah blah</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ktest</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2020-01-02T22:36:11.217Z" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-01-02T22:31:11.217Z" NotOnOrAfter="2020-01-02T22:36:11.217Z">
<saml2:AudienceRestriction>
<saml2:Audience>MySite</saml2:Audience>
<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
<saml2:Audience>https://example.com/samlsso</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-01-02T22:31:11.217Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement />
</saml2:Assertion>
</saml2p:Response>
Main
SAML Settings
Salesforce Settings
The Plan
We went to configure shibboleth as the IdP so we can do SSO. We have shibboleth configured already for the many other things we do like email and account information, but when trying to add in our API publisher to the mix we seem to be getting an error. We believe it to be a wso2 configuration error. We been using this wso2 documentation as a template: How to Configure Shibboleth IdP as a Trusted Identity Provider
The Situation
So far we are able to get to the login screen and put in our credentials, but when it tries to redirect us we get a Error 401 : Authorization Required.
SAML code
<saml2p:Response
Destination="localhost"
ID="mbnfmmagbmefckldpefbmjopkadjahbkocadhmib"
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#mbnfmmagbmefckldpefbmjopkadjahbkocadhmib">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>9xbWKA7A+
7k7Vaz6O18z8Xliqbo=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kX11Q4eCUyME+VP5M7+5iI6D45kqQgE6MIqth7hNosSmfdSD3kZS0dwlcNwVlrzA64LMUZxclU256xP6w6nn0TqEqLjKy/tGXeQbKjaYrPcXx6336kIp8YGajqDiBh7IJswFDxugLoRx70APaKGthJi5VwRea1oT3lE4RHJoMgiN7o5FO1N+8IE34zEJLmTIpt+lYdXQPJanN29GY9YfIouFe2TGfHfXd9PT2nt7Dmf+M69DM3giEyizbzljYHdkjJrTlqoYTlHBHNPq8NF/+1wwuL76SP0Bory4k/7JvelW6RSAz82pdjDc0ublBmuceTENza2GiC2sitVQPycl/
g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
ID="gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Z7DIvjwTk4JpF0TRMNzo3Z/
4sfc=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>h1Stjkbw306VU7TN5OEou2XII3nzvhr34GVbced5Gk7q+EZailZusYISkC11eJjk4Y+CejMa4RODelwnMAdpfeWmMYz6ukk0jh9RH97/uWPOWKfOp4n/oXVnYE3rdImGcb1egas/zprqM7Pl8mbwI7vK3ScMUagBg6Td1sxHfRgVBk6r8C+40sgTAG8LsOd+q8LKNYj5mSeZ5K34SBdkmMWNpAS9mOT9CSJfWOrd9uAvFXHeuWN31MbIgVV5seEMfUzC18I/4s3qXwWqIvQxIsF8l9WuIuMYsFPT+oQJBU/ltQVf54w29k50tvN+LyvmNbZCZANf+
3JXwygyImc2Yg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">username
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
NotOnOrAfter="2016-12-05T16:25:37.939Z"
Recipient="localhost"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2016-12-05T16:20:37.939Z"
NotOnOrAfter="2016-12-05T16:25:37.939Z">
<saml2:AudienceRestriction>
<saml2:Audience>API_PUBLISHER</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2016-12-05T16:20:37.941Z"
SessionIndex="cbc00514-954b-4de2-8e7b-b50edf9c5976">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
Name="http://wso2.org/claims/fullname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">username
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
IdP Config
Shibboleth IDS configuration
Shibboleth IDS configuration
We solved the problem! So we couldn't get shibboleth 2 to send the right information in the subject/nameID in the SAML code, but when we tried shibboleth 3 the customization of the nameID was an easier thing to work with. Anyways, wso2 could not authorize access with just the username in the subject/nameID, it also needed the domain and formated like this domain/username. With that we got SSO to work.
I must make my WCF Client consume a web service and sign/encrypt the request using Web Services Axis 1.4 a Apache CXF 2.6.
So far I have created a custom binding and I've added ProtectionLevel=Net.Security.ProtectionLevel.Sign in my contract atributte and "think" I am working along the right lines.
This is my .config:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="ComportamientoCertificadosREA">
<clientCredentials>
<clientCertificate findValue="XXXXXXXX"
x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="XXXXXX"
storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="reaCXFWSSoapBinding">
<security authenticationMode="MutualCertificate" requireDerivedKeys="false"
includeTimestamp="false" messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
</security>
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
maxBufferSize="2147483647" requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://..."
behaviorConfiguration="ComportamientoCertificadosREA" binding="customBinding"
bindingConfiguration="reaCXFWSSoapBinding" contract="ServiceReference1.WSREACXFService"
name="REAEndpoint">
<identity>
<dns value="..." />
<certificateReference storeLocation="CurrentUser" findValue=""
isChainIncluded="false" />
</identity>
</endpoint>
</client>
</system.serviceModel>
That produces the following request (capture and decrypted with fiddler)
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-5a68af48-0f16-46b4-b45f-e83851841104-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-5a68af48-0f16-46b4-b45f-e83851841104-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
...
</s:Body>
</s:Envelope>
And this is a valid example of the service:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-E554529BAA924FFE9C14373971009923"></wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-E554529BAA924FFE9C14373971009924">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-E554529BAA924FFE9C14373971009925">
<wsse:Reference URI="#CertId-E554529BAA924FFE9C14373971009923"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="E554529BAA924FFE9C14373971009141">...</wsse:BinarySecurityToken>
<xenc:EncryptedKey Id="EncKeyId-E554529BAA924FFE9C14373971009302">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#E554529BAA924FFE9C14373971009141"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-1" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-3">
...
</soap:Body>
</soap:Envelope>
So, how can I set my .config (and my code) in order to generate a request like the valid example?