Пустой заголовок авторизации при установке его значения в токен зашифрованного SAML 2
Я использую Thinktechture Identity Server для выдачи токенов безопасности SAML с использованием протокола WS-Trust. Затем я вызываю мой WEB Api с http-заголовком авторизации, содержащим токен. Токен успешно обрабатывается с помощью Thinktechture.IdentityModel.
Но когда я использую сертификат для шифрования отправленного токена (выбирая сертификат шифрования на странице администратора IDP RP), для запроса, полученного IdentityModel, заголовок авторизации устанавливается равным нулю (на самом деле зашифрованное значение существует внутри массива InvalidHeaders в объект запроса).
Используя fiddler, я заменил значение заголовка на то, которое получаю без шифрования, и ответ на запрос работает. Так что это вызывающе что-то в этом значении заголовка.
Это значение заголовка, которое проходит через:
IdSrvSaml <Assertion ID="_6a775e39-a369-4f11-b173-3914ffb21839" IssueInstant="2013-10-21T07:48:43.046Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://login.dev.netformx.com/IDP/issue/wsfed</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6a775e39-a369-4f11-b173-3914ffb21839"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>gj/Iad9M58yBn4US3Uu7V1GUYhOWsFT3OrrMlbtPusg=</DigestValue></Reference></SignedInfo><SignatureValue>U3nQIy/vL2bDOI8sV/YMzc5/iZPfEeFJN3WeuYRVD1sBnWGTEbaElbs3EudrO2nSBtR5EC8WJ7U2AULXm0jRnTPoxLxHxCBstnNozh/Cb82KSpSqF4JGCvAqxKjMv/T05uAylF1hFHH6qFcRG4CilMyo1X99saySVYib6QA7DHg=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDnzCCAwigAwIBAgIJANAP5k4PCG5WMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDE5ldGZvcm14IExURDELMAkGA1UECxMCSVQxFzAVBgNVBAMUDioubmV0Zm9ybXguY29tMR4wHAYJKoZIhvcNAQkBFg9pdEBuZXRmb3JteC5jb20wHhcNMTExMjE5MTI1MjM1WhcNMjExMjE4MTI1MjM1WjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn23JZTi6UMZ+iwsxCP1SGX2Py39BqBH3dDjUdZA00A8x/UWibIgcGlQkA7KNESPwEZBHT2JhebiHosHMOPWe/0lpY7N4FZ9IcMTk1iFrX1I43EEYNlhKAvAnPv1105BUdFs3HtAohqxtJ+R1e+9yUJA0M+9HCj8gotMs/MwYVTQIDAQABo4H6MIH3MB0GA1UdDgQWBBTbT+HBO+s2rhEfvESxKrwgCCx3gzCBxwYDVR0jBIG/MIG8gBTbT+HBO+s2rhEfvESxKrwgCCx3g6GBmKSBlTCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tggkA0A/mTg8IblYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA9cFQGXx2dDE9qUdeM7Y82D8Tv/hscyoHX+tu/8ToWnkLQBcfsNwaZFBRkPdeBnzavgMfZ3jage+hD2GD5YM3jfbMlZ+oKrDKDx/YP64ElQeNFqPdG6MitCVWYmM5OkL12Zm7sy/K8FBTTbj0gaRmePqYKQzK2tctOLzg3jDXCJQ==</X509Certificate></X509Data></KeyInfo></Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></Subject><Conditions NotBefore="2013-10-21T07:48:43.037Z" NotOnOrAfter="2013-10-21T17:48:43.037Z"><AudienceRestriction><Audience>https://dev.netformx.com/cloud/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>nfxtest</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>CloudReport</AttributeValue><AttributeValue>IdentityServerUsers</AttributeValue><AttributeValue>NetformxCloudUsers</AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/firstname"><AttributeValue>userfirstname </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/lastname"><AttributeValue>userlastname </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/companyname"><AttributeValue>companytestname</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-10-21T07:48:43.019Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>
И это значение заголовка при шифровании, которое не проходит через:
IdSrvSaml <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>[email protected], CN=*.netformx.com, OU=IT, O=Netformx LTD, L=San Jose, S=California, C=US</X509IssuerName><X509SerialNumber>14992454907473718870</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>JPPwxxL06myHcEadsSpEgrMVuIhvyGcb6nDQs1WEFUsjNEAdc+y9S8ISmVO17rhfaA1VJ/OZyrHcZwghltctDfkRWSylpi2/pTm1CIPZpLfVu5vEHB3VTqySEpMVffcitQhKtl7R/Cmp5t/QnbZIUBeDJn+VpjSBaFyYC0R3JsE=</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>URBfgo6BWMQ9tQZEvUvxSdRrBx7IRv5LRmLzcZEEznBa0lKpRG+Yf9lUgWFzEr76aupfc9pkgiBNzxaSvtLdl6BCqINZFirk6CcNqsygHFXOzN13iHcl7UpyarwhwrnjxF+t5XACRRWKQAVTU38M7pThlnIgcbdToiXtluDxghJcpCNDqcWu7QB1nxj/f3mPIA91uFInIdeE7ACLRUFPe+5k/3VC3rjtZgKeaccwx5A/HuHzqto+cG8f1yQ2pGbuGa3YSm8x/TkSy9IpqKRHV57lB3N7Ci+8E0BDTsafZP2RujJAeaWzgeOJGDm2nfNGMI3fgJimzUySGYimwPlwTKJ1RlWXR8Sjfan3a8OVVtByArQgqtkHM2V8oPOwEW97Axk70rK2C8Uf3qKFVaqlOh+iih5QwwDmG/9FNuSYb9B6tThwypV+ne89eGf50hC+S4Vr8AE9ftYV1DflsRDK/4LoLHZowzhyLc+muckNa88dkHxpakxX1MTrYF8SwtJzoTlfRRwpDQG9lZk15YmDTneww9Chh4RRKuH0et8q1mq0F8qBg1DWUAA8zVY/Elg5ubnR5gSqdQPl054Uens27xvW1NKOfMPcI/2iEL+kely4PuBA4DOq7y9K6vn7tcIUbLkeoUfbvlF/adD5BiQbQXBR6i+k/XLYv4nN2E9kgvPFZkqIkgnfiUSWLEnEpk2txbxSVhgDiwHkFqlGhgCnfuXDe8g+MzrwTC+k52cTcuRqpyBbKh3h2YobGNHjkcZGRGIs/I//kx7pjCuhqlxGhLhF/A3RZwhUyIcD8QZkYlFU4k4QTAUIcQURh6p4DEk213XM3MSSviERIILKMPfPh43e9lR6sYWLSQFSq+FWqZLHEeVX/f0IPUysnUAwuooq0M1WsIg/BUI7RehtiBaLLciXlwLMS6e5m6AgiveLuHtCGeAjB/friWvWCpdYMPABzX6vFD3Q5NKeiooFxNfdVGSYRn6cnLjinzhPeeREzvX78hFBeCQfcSBPSFarCKtzijaByyDbO4Y5kK9dC7bEUllQzUwuTd+ySFuZnPwQQdsS/7kHO3sXt/P48hK0BdU7I9ar0UfB4jXXRr712vjBqRoiETmHbEWssydjhUegSyoSm/tAkH2WONkvvha2gLS+L2cXk6LdsY5JTAzsedecirtrlrMiVuZ40xd6Sd5MatM99TdVDusFKuKSsefNDL0/v51Mu9CmPbrOL2eL9o6xs+UfAb2p5mB4DuOm6xI+h9jN1feLw6Cgh2TkKcsDDMVYSIk0n5g1GffPtP9LE4w11vcONEMouk8ykMIBMduoQXf0nrkPQhDuy4evxfAbE2LjfdsBDeKCg+qq9puRZ0yj/IgVlfjViXkBLs3c6wuPOiLFNL2ZN6DlyuF69JUcwFtVlzV9XZVRP15+f+ZfFV6dEzTNSZcgWKL0S+WMOlcr247knLE14jii8uhbmc/Xhfc1gPLgqT1bBfzGkx7aBlbGbItiM6I0yhCTGM4SBLhoNDo5PmhXLyXiNXD/RrvXOkFozPZ+iRVGThen1BVpkPNomiVY6gSH5+pplW+jD4jp4hnQ6OlaZNAi2WeOuslu7y0T68r8wkgKSRbmmp7TyTvXp/v/UmPP/m856S9phrP36KWdRxWaQkVVA832SC7vMt4hqGTHJPT7yWUxrAc2KnVvkHiP4OTc5GIwHf0h2sqD09wMqoKHMfJ+p5eBNSB866YQ3L+yyUGu9yKEznXrA58X7K1xK8JcnDZbeahIK4Dm4aIhAIRliWD4vI6sb3d5fnpGnlbA4GZ5xA2pzqxDRj/qraBGJIJTl1ew9XjU4NxraxT6tFDQjLLflek/dbD7HG2ssF1P0d2SpFMGSPGgjMUdxzz8ZcyVB5KG3loQlphtd4NoOfAj3ML5PNTFqKEWfMRrfcYZTPI4rRTnDQG0hjasH5sITPfczr67foPwaEAI7XE1ylQaO0eh6iDTtlaN4i2Ny8CFPejyAk3stf7cxaWobtNOCqo+s4GGmKLdtbRzQMUg+643apAm9gJd0f5AixLBAQ9NNytfQ8ZHoYnz/5EVeZhGweG9cFIjTg+Qt4ElguNCAsjuL4iixt6xEzyBsdh/mO2V3ZZmX3QHyZsh60dINngD2jNQdW/vbNqqIbHfDuhE4jtmbxIelc6NXzBft5L1VWJxunAm2t7kRwbcRRWdQNaXnE/rRPwovWPI+odNwgNPP6xamDSfh5LgCEBIwI7s4hD2RBRarCXkgP/t7fWjYB8Z5rpOnaMIAGTBknmKmlvjDG1/wWAyDTuIcg9CLaWz6A8E1DOjSnDznxp2+Vh8sLzDcQwxWrCKQ4bDNbpL3MPtn0IEL8v7gCRyRr45nyyyXePGj6uJQ3mTu3iq28DkQtcHctEUWLXxbp66ozzktrPMSUEHj0ORaH/aXDQqZarjsf99qTLPsExJDKvEofrTr/ks0/8/ojQj4uQ2ZJGzKztjuR2NTqZEWmq6blYqlT1N4RVxg/n1fUWoXlpL31DoTesySlbypNQKROTyUUxEatCX/2STqwp4mwwM+TiirgVsM3AdOGa5mQNIYh3+enJA+RjIdWzRImjxxmdLeEDkXWnoQl6w5XSHxIHKZZ03deAUQK5cRF3Sn8rOEyQGeDjiy2o7S7UL8F+fgpcuiP9NHiCsJpl7F+LQ1LNjeGDSjFWwHaAXxttIG1hXLRdFvHB5HLskdAFcgisYWpkNQoQKEt9X7aDS8x7zsQJwrCzrBaTEMh+zSHGCpwApB3iqJDWlaARyJkW9vEhROnpAQllDbGhiHif3WupwUpS02hEgjcu6vVrRuKx0OcGJbSsFRfCWK7GQRFYW5tvG+Q8IZidnXj99q1HEzaARsWrDJv+rxE7Y+6W4qYlw0cW/73O7WF94q8uo+si08oupjpw3Fi2OBWg0mlZBqoWWLk7tzRWW6tFPV2GkN7ju5U7b0vqRY4IZANxogf23VTeeyPLvcWn64locrBui8IOxLTBOnqYrcJK6yIVF/PUOqqeyQMjI9jtMw1hP/+fZ9CDpLsXm6yBBzQF6TSrTag4Z824PitoOaBBn7Vx9rvG/rU8Vu+Z68j3LyX3MBU2WhdUWqqVFsNOFlYb3Z5dySbB8U7SZ1muw+EIcF4cEcVAW7A4OszQr9MRezcUKcaYc269pMeEpbUcK+K0pR8R4DvSKP/OWYs4ajrz/lRBImCidVbeslhPeF3H3blnQa0txVXD2izlNUPUIeS2nq4FThL7DxKXzUtMwcRwJJWIhYptmHYEdLuJcQ7E5BLJM0H2KC8/YuSYEyGNj3+HfIXhwKOPSL0alJs16lvxvEzm3gMosmiwCi8hze6aRS1uxco9sYRfuIhMj2O3zZ4zV9MBUyceT7FZhMOr4CdFSKgB+aW2LJgL8ljmrBy8G8YexQh4jgc+HA+655mBd1FWxhKllLCmlGaqKMCx8oYUHkqi8ziflWLY3QRM21ZkbziRH8WYYTsoHfzb7qfV9N2/ptojDsyvLed53kWu9kpamy4dcnhtP4UU49T16V86CKDt259hs8Z5nx2VaLqCcBilLghGDdx+p/j/qq+BdaY79NUce5KXjiXfuRtvZdqSjMqLeX52Wp176ycJ9TlCEPdCezaUjjStVmufJEaAoMMnmOvjB+6Jo5Hfnn0NNCUvBQDyYYJTub33AHAO+1mfBx+kE9oWLcurXIu92iZthhl0gr32eUMG7gcSl/mTc4eJFR4L+pwMY8IlxxiFFLsNPuCQaffas/Cgi4CNNOyui0cWOLgjnbWTImxVaUUDt40vKZP7oeSgAmyb2l9wOSlat6T3qSOfW7nBnx8459ZJPUKhJxuaBTo0pqwjnEI+YPtUtOHAsw16sto58Nq0EuP1HfSgHJxrUlDuOLtK933Cnd6AoRhOveUV9QtQlOx9RJBPZ6x1Ofs0VlEkZYgFa7Ajb1GhAByEm99GMTEAATLvavFaGgCB/WmJ1HSkUsQsB953qjzyOqVEz+o88xPYEXYk6J46LO4t1INBiIjfPehJ1bjvSMbLcrnoXQmcU/7dPAmxOxYbdExv138vVnjYR0MMYaSMPAbJ2R8T/Sw8VRQtwiGX5lv7dtEQBq8d9Ybgc2SKncqgg4Kih4kz66FRafRtt7UEhvkk0j75NIPomc8/3iK3/lPuvYSHS1HHX7FpcoUZ8a3c8spFfzpGTGwUF6dbANZOVtllct5FX9AEKjX2k5rLbwNxENy2RSSmZlR+eo7LgebxygpWMr6/wEbt4CAYragkR/NMyv7SZvRpMvBe0DJ+zdwd0WmW+7iWYjy1eJdbL2iVdKa8WeNZwt+g8leZdSjzu1nidK4n3lwys9oILD5NNkN0SzT0/sY4l1n8hlHweJR5BFnQ6TXF7kbAAAxOaV9cXBUIBaLzg1Vdm62FExYrCnH7fFIaXhoLVJl0yMfttRSNDaXVkd9xRznHlOxYVEi6mDPXhB36PfBwo4x/XYs5rdc3GoUsAdlPLTJWiyQ+49rXN7PDeIFssxwFZ9cEnnY5YOks3n2pQ8aBo15ROJVo1XJ626kzZ/VR+EgsMlHCrnXgyCW2OiFP6w46c0s7MnhfnDFNPBkQg5NGxsxQ+5iLDnCkzBBxIpfGf1e6RHnoWFxXgvV7+HfwlppQWawBT+CMyuJZh8WoU+uO7N24pwpwDk43iNOi41cfNCEjfhQmhxP2HmyFuNJICZl3Xop/NP4CboE2Oiw2c4P0mW3ZX5HZVxRuW4UwlYMJxbVh0EUfVw4SK0sKkooWzxcklnR1L6g4b7KiBziKQsDQRUUQ6U4KIYABrAVBJCNeagN0lqEFJOL8n2GfelI5B1EEL9SZ7j8b3B0XlMYohYj4SHTVTPo0dTOzsp+ruTjtgpBI743R+Vp3dyaPnUsgRoLyPt0GAgkuUQfFuLLtX+w0dTeskGi9PYgKSTpmkWUEE4cYpLvhqtiKjNwX2m/OScf1JNxTEGO4SE/sA7lGQLSbZDzi+laCuMfdlLA1y5QBKuhzf0L9iFpB5/AFkkL3Jd8/2E3dMkwBuslnSvDlWXH6w92gTcnKuEPMcbl86VVTvPNNkFuOjl/nIU2AVTdHGXDjKIBXWGF8rVHKNDg+LnF4AaRKFc07H1gqrVXIDbsigmv/Ga1kd2uAZCAhtlI4cbvXT1Y8twY/CvNoq15ASm7L0HuB4wN3U/yehtnTfKO3+Dbw9eh8YqnXImCxjEP8kqP8SaR15RHc6a8g5CTo8Htrrx2GmUhqu23ASMA4l0z6eznpbG7E0n9vHM+nLOOwuTmpMPy5puVd2yUpyFKUmTMl9VFqXM5OySCv1dRAkHAbgtrEQAnsnww==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></EncryptedAssertion>
Любые идеи, почему авторизация heaedr не проходит?