making a simple assertion with authenticationStatement


We download older Windows SAML code from packtpub.com, trying to go back in time and think how Microsoft though about topics BEFORE the WSE2/3 and WIF era. The assumption is we will closer to Win32 and the TCB. We look at a simple tester program, Chapter one, unit 2, which we amend so the form is more like what Office 365’s Federation Gateway will expect and demand.

image

First, make a signing-capable cert – but amend the instructions a little (to update the maximum expiry date!)

image

one amends the descriptor structure for the assertion to add the desired attributes an the authentication statement:

image

We get the assertion as desired, though its signed (in this program). Of course, Office probably doesn’t want a signed assertion. It wants a signed ws-fedp result message (bearing the signed/unsigned SAML assertion)

But, we have got closed to the “raw machine”.

image

If we compare this to the output of Ping Federate IDP (acting as a Proxy IDP to our Realty IDP), where Ping Federate is itself a proxy IDP to the MicrosoftOnline IDP … invoked by the Office Federation Gateway (itself invoked by Exchange ONline SP!)…

image

we see that we are missing the audience controls and fail to carry the certificate. And obviously, we are as yet missing the outer ws-fedp tags.

SO lets fix the obvious stuff.

To add the audience conditions and set the nameformat proeprty on the UPN as nameidentifier:

image

thanks to http://stackoverflow.com/questions/1348947/audiencerestriction-in-saml-assertion we added:

image

To add the certificate to the signing block:

image

thanks to http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/9a2c881c-5094-40be-a650-1fe27fe465fc we changed the keyIdentifier to the X509Raw type:

image

from image

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SAML. Bookmark the permalink.