custom STS issuing proofs of asymmetric keys for ephemeral keypairs, used in a WCF request with (header) proof service


After a few more fiddles, we made our WCF client built from creating a service reference use a custom binding to talk to our custom STS and  get by return an unencrypted saml assertion with asymmetric proof key. This is then used in a SOAP service call whose own bindings have the client sign the headers of the request to reverse a string and which have the server confirm both the signature’s public key is confirmed by the assertion and that the assertions own signature is backed by a certificate whose issuer is listed as a trusted issuer

image

The interaction with the STS is initiated automatically by the custom binding, using an ephemeral rsa key. It only works with v1.3 generation STS endpoints.

image

The client MUST have the interactive flag set to false (to avoid cardspace UI being sought):

image

And the client side binding must be modified from that auto-generated; to cite and to use a non-augmented-for asymmetric-keys  ws-security binding when talking to the STS.

image

The service endpoints binding became (forcing the trust version):

image

and the service of the STS that accepts and handles the proof-signature on the RST with usekey fields had its binding put into an explicit namespace (so WDSL policies do not go into separate files).

image

End.

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SSO. Bookmark the permalink.