using WIF to talk to Microsoft Federate Gateway STS (to get Office 365 SP API tokens)


On the topic of enabling WIF libraries to do what we did earlier using a hand-crafted SOAP message, note lines 72 and 63 below. These are the changes, along with the serializer subclass, that insert the evidently required policy reference into the RST. It worked on trial, and showed we do NOT need to be sending or handling all the legacy passport tokens or signals, merely to get an auth token for use at Office 365 API endpoints with issuedtoken bindings.

    class MyWSTrustFeb2005RequestSerializer : WSTrustFeb2005RequestSerializer
    {       
        public override void WriteXmlElement(XmlWriter writer, string elementName, object elementValue, RequestSecurityToken rst, WSTrustSerializationContext context)
        {
            switch (elementName)
            {
                case "PolicyReference":
                    writer.WriteStartElement("wsp", elementName, "http://schemas.xmlsoap.org/ws/2004/09/policy");
                    writer.WriteAttributeString("URI", (string)elementValue);
                    writer.WriteEndElement();
                    break;
                case "KeyType":
                    break;
                default:
                    base.WriteXmlElement(writer, elementName, elementValue, rst, context);
                    break;
            }
        }
    }



        //           var s0 = "urn:federation:MicrosoftOnline";
        //           var s1 = "https://outlook.office365.com/EWS/Exchange.asmx/WSSecurity";
        //
        //    GenericXmlSecurityToken token2 = do_test_exchangeoffice(token, new EndpointAddress( IP ), new EndpointAddress( IPMEX ), s1);
        //    t = token2.TokenXml.OuterXml;

        //  ExchangeService service1 = new ExchangeService(ExchangeVersion.Exchange2013);
        //  service1.Url = new Uri(s1);
        //  service1.PreAuthenticate = true;

        //  service1.Credentials = new TokenCredentials(t);

        //  EmailMessage message = new EmailMessage(service1);
        //  message.Subject = "Interesting";
        //  message.Body = "The merger is finalized.";
        //  message.ToRecipients.Add("rapstaff2@rapmlsqa.com");
        //  message.SendAndSaveCopy();

        private GenericXmlSecurityToken 
            do_test_exchangeoffice(SecurityToken fromIP_STS, EndpointAddress issuerAddress, EndpointAddress mexAddress, string exchaddr) 
        {       
            const string office365STS = "https://login.microsoftonline.com/extSTS.srf";

            WSTrustChannel channel = null;

            UriBuilder u = new UriBuilder(office365STS);

            var un = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
            var iss = new IssuedTokenWSTrustBinding(un, issuerAddress, SecurityMode.TransportWithMessageCredential, TrustVersion.WSTrustFeb2005, mexAddress)
            {
                EnableRsaProofKeys = false,        
                KeyType = SecurityKeyType.BearerKey
            };
            WSTrustChannelFactory trustChannelFactory2 = new WSTrustChannelFactory(iss,new EndpointAddress(u.Uri.AbsoluteUri));
            trustChannelFactory2.TrustVersion = TrustVersion.WSTrustFeb2005;
            trustChannelFactory2.ConfigureChannelFactory();
            if (trustChannelFactory2.Credentials != null) trustChannelFactory2.Credentials.SupportInteractive = false;

            trustChannelFactory2.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
            trustChannelFactory2.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
            trustChannelFactory2.WSTrustRequestSerializer = new MyWSTrustFeb2005RequestSerializer();

            GenericXmlSecurityToken token = null;
            try
            {
                RequestSecurityTokenResponse rstr = null;
    
                RequestSecurityToken rst = new RequestSecurityToken(WSTrustFeb2005Constants.RequestTypes.Issue, WSTrustFeb2005Constants.KeyTypes.Bearer);
                rst.AppliesTo = new EndpointAddress(exchaddr);
                rst.Properties.Add("PolicyReference", "MBI_FED_SSL");

                channel = (WSTrustChannel)trustChannelFactory2.CreateChannelWithIssuedToken(fromIP_STS);

                token = channel.Issue(rst, out rstr) as GenericXmlSecurityToken;
            }
    #pragma warning disable 0168
            catch (Exception ex)
            { ; }
    #pragma warning restore 0168
            finally
            {
                if (null != channel)
                {
                    channel.Abort();
                }

                trustChannelFactory2.Abort();
            }
            return token;
        }
Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in coding theory. Bookmark the permalink.