making an STS that responds to asymmetric keying (signed) requests

We built on earlier work that issue the following signed request to an STS (for an asymmetric key). Previously, we had issued this to the ACS STS, which duly returns an RSTR within which was a SAML assertion whose confirmation field for the subject bore the (RSA public) proof key. IN the ACS case, the assertion was signed, hiding these facts from other than the intended recipient.

Now we can issue this to our own STS, using the standard WCF-implemented Feb2005 ws-trust contract.


the code we used is bascially the same as reported earlier, except that when using Feb 2005 ws-trust with WCF’s STS contracts, the addressing mode is slightly different from that expected by Ping Federate:


On the server side, we amend the service endpoints to add one (with a custom binding), similarly. Note one can NOT simply amend the binding on a existing endpoint, already added during construction of the service host using information from the web.config file:



This allows the STS to respond to (signed) asymmetric keying requests for tokens, as above. The signature (and user name token) is verified, and a response generated:


Obviously the net result  is a signed SAML assertion within which is the RSA confirmation key (in non-encrypted form unlike ACS when originated by our STS):





Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SSO. Bookmark the permalink.

One Response to making an STS that responds to asymmetric keying (signed) requests

  1. Pingback: acs metadata vs custom sts metadata for asymmetric keying | Peter's ruminations

Comments are closed.