Here is the scenario:
1) WCF client calls STS requesting a SAML token via a RST/Issue request
2) STS responds with RSTRC/IssueFinal placing the SAML token into the response header
3) WCF client picks up the SAML token an makes call to business web service
STS and web service are hosted in a Java-based environment. 1) and 2) work fine, that is, I can see the STS responding in the expected manner with SOAP header and body correctly set.
Now, the problem is that after receiving the response from the STS the WCF client sends a request for a security context token to the business web service which of course fails and I don't know how and why.
This is my app.config for client:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsFederationHttpBinding>
<binding name="RegistryServiceBinding">
<security mode="TransportWithMessageCredential">
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#samlv1.1"
negotiateServiceCredential="False" establishSecurityContext="false">
<issuer address="https://my-sts-ip/idp-ws/services/BasicSAMLIssuer"
binding="customBinding" bindingConfiguration="STSBinding" />
</message>
</security>
</binding>
</wsFederationHttpBinding>
<customBinding>
<binding name="STSBinding">
<security allowInsecureTransport="False"
authenticationMode="UserNameOverTransport"
requireSignatureConfirmation="false"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap12WSAddressing10" />
<httpsTransport/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://my-ws-ip/soap/RegistryStoredQuery"
binding="wsFederationHttpBinding" bindingConfiguration="RegistryServiceBinding"
contract="IXDSRegistry" name="RegistrySTS" />
</client>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client" />
</startup>
</configuration>
And this is what the WCF client sends after getting the SAML token from the STS (abbreviated):
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
<a:MessageID>urn:uuid:fecde50b-a3bd-40f1-ae5b-662a3aa9bf80</a:MessageID>
<ActivityId CorrelationId="cec77c8d-1d09-4e34-9c5a-dbf5bb219ba8"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">bfce2552-393d-43d0-8722-0c16ae22bba4</ActivityId>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://10.11.71.151/soap/RegistryStoredQuery</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2011-10-28T07:27:50.097Z</u:Created>
<u:Expires>2011-10-28T07:32:50.097Z</u:Expires>
</u:Timestamp>
<Assertion> .... </Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
...
</Signature>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:Entropy>
<t:BinarySecret u:Id="uuid-d1ed3eb6-d7f6-4d2b-ab7e-a6c60d899bad-3" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">iRqJf4/sY1yiu7Vh1eTGeAWJi7o0gxnhS6A2YvJQ6kI=</t:BinarySecret>
</t:Entropy>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
Any ideas what could trigger this behaviour?
Best Regards.
