Używam Thinktechture Identity Server do wydawania moich tokenów bezpieczeństwa SAML przy użyciu protokołu WS-Trust. Następnie dzwonię do WEB Api z nagłówkiem http autoryzacji zawierającym token. Token jest obsługiwany z powodzeniem przy użyciu Thinktechture.IdentityModel.

Ale gdy używam certyfikatu do szyfrowania wysłanego tokena (wybierając certyfikat szyfrowania na stronie administratora RPP IDP), żądanie odebrane przez IdentityModel ma ustawiony nagłówek autoryzacji na wartość null (w rzeczywistości zaszyfrowana wartość istnieje wewnątrz tablicy „InvalidHeaders” w obiekt żądania).

Używając skrzypka, zamieniłem wartość nagłówka na tę, którą otrzymałem bez szyfrowania, a odpowiedź na żądanie działa. Więc to jest zdecydowanie w tej wartości nagłówka.

Jest to wartość nagłówka, która przechodzi przez:

IdSrvSaml <Assertion ID="_6a775e39-a369-4f11-b173-3914ffb21839" IssueInstant="2013-10-21T07:48:43.046Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://login.dev.netformx.com/IDP/issue/wsfed</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6a775e39-a369-4f11-b173-3914ffb21839"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>gj/Iad9M58yBn4US3Uu7V1GUYhOWsFT3OrrMlbtPusg=</DigestValue></Reference></SignedInfo><SignatureValue>U3nQIy/vL2bDOI8sV/YMzc5/iZPfEeFJN3WeuYRVD1sBnWGTEbaElbs3EudrO2nSBtR5EC8WJ7U2AULXm0jRnTPoxLxHxCBstnNozh/Cb82KSpSqF4JGCvAqxKjMv/T05uAylF1hFHH6qFcRG4CilMyo1X99saySVYib6QA7DHg=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDnzCCAwigAwIBAgIJANAP5k4PCG5WMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDE5ldGZvcm14IExURDELMAkGA1UECxMCSVQxFzAVBgNVBAMUDioubmV0Zm9ybXguY29tMR4wHAYJKoZIhvcNAQkBFg9pdEBuZXRmb3JteC5jb20wHhcNMTExMjE5MTI1MjM1WhcNMjExMjE4MTI1MjM1WjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn23JZTi6UMZ+iwsxCP1SGX2Py39BqBH3dDjUdZA00A8x/UWibIgcGlQkA7KNESPwEZBHT2JhebiHosHMOPWe/0lpY7N4FZ9IcMTk1iFrX1I43EEYNlhKAvAnPv1105BUdFs3HtAohqxtJ+R1e+9yUJA0M+9HCj8gotMs/MwYVTQIDAQABo4H6MIH3MB0GA1UdDgQWBBTbT+HBO+s2rhEfvESxKrwgCCx3gzCBxwYDVR0jBIG/MIG8gBTbT+HBO+s2rhEfvESxKrwgCCx3g6GBmKSBlTCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tggkA0A/mTg8IblYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA9cFQGXx2dDE9qUdeM7Y82D8Tv/hscyoHX+tu/8ToWnkLQBcfsNwaZFBRkPdeBnzavgMfZ3jage+hD2GD5YM3jfbMlZ+oKrDKDx/YP64ElQeNFqPdG6MitCVWYmM5OkL12Zm7sy/K8FBTTbj0gaRmePqYKQzK2tctOLzg3jDXCJQ==</X509Certificate></X509Data></KeyInfo></Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></Subject><Conditions NotBefore="2013-10-21T07:48:43.037Z" NotOnOrAfter="2013-10-21T17:48:43.037Z"><AudienceRestriction><Audience>https://dev.netformx.com/cloud/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>nfxtest</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>CloudReport</AttributeValue><AttributeValue>IdentityServerUsers</AttributeValue><AttributeValue>NetformxCloudUsers</AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/firstname"><AttributeValue>userfirstname                                                                         </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/lastname"><AttributeValue>userlastname                                                                        </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/companyname"><AttributeValue>companytestname</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-10-21T07:48:43.019Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>

A to jest wartość nagłówka podczas szyfrowania, który nie przechodzi:

IdSrvSaml <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>[email protected], CN=*.netformx.com, OU=IT, O=Netformx LTD, L=San Jose, S=California, C=US</X509IssuerName><X509SerialNumber>14992454907473718870</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>JPPwxxL06myHcEadsSpEgrMVuIhvyGcb6nDQs1WEFUsjNEAdc+y9S8ISmVO17rhfaA1VJ/OZyrHcZwghltctDfkRWSylpi2/pTm1CIPZpLfVu5vEHB3VTqySEpMVffcitQhKtl7R/Cmp5t/QnbZIUBeDJn+VpjSBaFyYC0R3JsE=</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>URBfgo6BWMQ9tQZEvUvxSdRrBx7IRv5LRmLzcZEEznBa0lKpRG+Yf9lUgWFzEr76aupfc9pkgiBNzxaSvtLdl6BCqINZFirk6CcNqsygHFXOzN13iHcl7UpyarwhwrnjxF+t5XACRRWKQAVTU38M7pThlnIgcbdToiXtluDxghJcpCNDqcWu7QB1nxj/f3mPIA91uFInIdeE7ACLRUFPe+5k/3VC3rjtZgKeaccwx5A/HuHzqto+cG8f1yQ2pGbuGa3YSm8x/TkSy9IpqKRHV57lB3N7Ci+8E0BDTsafZP2RujJAeaWzgeOJGDm2nfNGMI3fgJimzUySGYimwPlwTKJ1RlWXR8Sjfan3a8OVVtByArQgqtkHM2V8oPOwEW97Axk70rK2C8Uf3qKFVaqlOh+iih5QwwDmG/9FNuSYb9B6tThwypV+ne89eGf50hC+S4Vr8AE9ftYV1DflsRDK/4LoLHZowzhyLc+muckNa88dkHxpakxX1MTrYF8SwtJzoTlfRRwpDQG9lZk15YmDTneww9Chh4RRKuH0et8q1mq0F8qBg1DWUAA8zVY/Elg5ubnR5gSqdQPl054Uens27xvW1NKOfMPcI/2iEL+kely4PuBA4DOq7y9K6vn7tcIUbLkeoUfbvlF/adD5BiQbQXBR6i+k/XLYv4nN2E9kgvPFZkqIkgnfiUSWLEnEpk2txbxSVhgDiwHkFqlGhgCnfuXDe8g+MzrwTC+k52cTcuRqpyBbKh3h2YobGNHjkcZGRGIs/I//kx7pjCuhqlxGhLhF/A3RZwhUyIcD8QZkYlFU4k4QTAUIcQURh6p4DEk213XM3MSSviERIILKMPfPh43e9lR6sYWLSQFSq+FWqZLHEeVX/f0IPUysnUAwuooq0M1WsIg/BUI7RehtiBaLLciXlwLMS6e5m6AgiveLuHtCGeAjB/friWvWCpdYMPABzX6vFD3Q5NKeiooFxNfdVGSYRn6cnLjinzhPeeREzvX78hFBeCQfcSBPSFarCKtzijaByyDbO4Y5kK9dC7bEUllQzUwuTd+ySFuZnPwQQdsS/7kHO3sXt/P48hK0BdU7I9ar0UfB4jXXRr712vjBqRoiETmHbEWssydjhUegSyoSm/tAkH2WONkvvha2gLS+L2cXk6LdsY5JTAzsedecirtrlrMiVuZ40xd6Sd5MatM99TdVDusFKuKSsefNDL0/v51Mu9CmPbrOL2eL9o6xs+UfAb2p5mB4DuOm6xI+h9jN1feLw6Cgh2TkKcsDDMVYSIk0n5g1GffPtP9LE4w11vcONEMouk8ykMIBMduoQXf0nrkPQhDuy4evxfAbE2LjfdsBDeKCg+qq9puRZ0yj/IgVlfjViXkBLs3c6wuPOiLFNL2ZN6DlyuF69JUcwFtVlzV9XZVRP15+f+ZfFV6dEzTNSZcgWKL0S+WMOlcr247knLE14jii8uhbmc/Xhfc1gPLgqT1bBfzGkx7aBlbGbItiM6I0yhCTGM4SBLhoNDo5PmhXLyXiNXD/RrvXOkFozPZ+iRVGThen1BVpkPNomiVY6gSH5+pplW+jD4jp4hnQ6OlaZNAi2WeOuslu7y0T68r8wkgKSRbmmp7TyTvXp/v/UmPP/m856S9phrP36KWdRxWaQkVVA832SC7vMt4hqGTHJPT7yWUxrAc2KnVvkHiP4OTc5GIwHf0h2sqD09wMqoKHMfJ+p5eBNSB866YQ3L+yyUGu9yKEznXrA58X7K1xK8JcnDZbeahIK4Dm4aIhAIRliWD4vI6sb3d5fnpGnlbA4GZ5xA2pzqxDRj/qraBGJIJTl1ew9XjU4NxraxT6tFDQjLLflek/dbD7HG2ssF1P0d2SpFMGSPGgjMUdxzz8ZcyVB5KG3loQlphtd4NoOfAj3ML5PNTFqKEWfMRrfcYZTPI4rRTnDQG0hjasH5sITPfczr67foPwaEAI7XE1ylQaO0eh6iDTtlaN4i2Ny8CFPejyAk3stf7cxaWobtNOCqo+s4GGmKLdtbRzQMUg+643apAm9gJd0f5AixLBAQ9NNytfQ8ZHoYnz/5EVeZhGweG9cFIjTg+Qt4ElguNCAsjuL4iixt6xEzyBsdh/mO2V3ZZmX3QHyZsh60dINngD2jNQdW/vbNqqIbHfDuhE4jtmbxIelc6NXzBft5L1VWJxunAm2t7kRwbcRRWdQNaXnE/rRPwovWPI+odNwgNPP6xamDSfh5LgCEBIwI7s4hD2RBRarCXkgP/t7fWjYB8Z5rpOnaMIAGTBknmKmlvjDG1/wWAyDTuIcg9CLaWz6A8E1DOjSnDznxp2+Vh8sLzDcQwxWrCKQ4bDNbpL3MPtn0IEL8v7gCRyRr45nyyyXePGj6uJQ3mTu3iq28DkQtcHctEUWLXxbp66ozzktrPMSUEHj0ORaH/aXDQqZarjsf99qTLPsExJDKvEofrTr/ks0/8/ojQj4uQ2ZJGzKztjuR2NTqZEWmq6blYqlT1N4RVxg/n1fUWoXlpL31DoTesySlbypNQKROTyUUxEatCX/2STqwp4mwwM+TiirgVsM3AdOGa5mQNIYh3+enJA+RjIdWzRImjxxmdLeEDkXWnoQl6w5XSHxIHKZZ03deAUQK5cRF3Sn8rOEyQGeDjiy2o7S7UL8F+fgpcuiP9NHiCsJpl7F+LQ1LNjeGDSjFWwHaAXxttIG1hXLRdFvHB5HLskdAFcgisYWpkNQoQKEt9X7aDS8x7zsQJwrCzrBaTEMh+zSHGCpwApB3iqJDWlaARyJkW9vEhROnpAQllDbGhiHif3WupwUpS02hEgjcu6vVrRuKx0OcGJbSsFRfCWK7GQRFYW5tvG+Q8IZidnXj99q1HEzaARsWrDJv+rxE7Y+6W4qYlw0cW/73O7WF94q8uo+si08oupjpw3Fi2OBWg0mlZBqoWWLk7tzRWW6tFPV2GkN7ju5U7b0vqRY4IZANxogf23VTeeyPLvcWn64locrBui8IOxLTBOnqYrcJK6yIVF/PUOqqeyQMjI9jtMw1hP/+fZ9CDpLsXm6yBBzQF6TSrTag4Z824PitoOaBBn7Vx9rvG/rU8Vu+Z68j3LyX3MBU2WhdUWqqVFsNOFlYb3Z5dySbB8U7SZ1muw+EIcF4cEcVAW7A4OszQr9MRezcUKcaYc269pMeEpbUcK+K0pR8R4DvSKP/OWYs4ajrz/lRBImCidVbeslhPeF3H3blnQa0txVXD2izlNUPUIeS2nq4FThL7DxKXzUtMwcRwJJWIhYptmHYEdLuJcQ7E5BLJM0H2KC8/YuSYEyGNj3+HfIXhwKOPSL0alJs16lvxvEzm3gMosmiwCi8hze6aRS1uxco9sYRfuIhMj2O3zZ4zV9MBUyceT7FZhMOr4CdFSKgB+aW2LJgL8ljmrBy8G8YexQh4jgc+HA+655mBd1FWxhKllLCmlGaqKMCx8oYUHkqi8ziflWLY3QRM21ZkbziRH8WYYTsoHfzb7qfV9N2/ptojDsyvLed53kWu9kpamy4dcnhtP4UU49T16V86CKDt259hs8Z5nx2VaLqCcBilLghGDdx+p/j/qq+BdaY79NUce5KXjiXfuRtvZdqSjMqLeX52Wp176ycJ9TlCEPdCezaUjjStVmufJEaAoMMnmOvjB+6Jo5Hfnn0NNCUvBQDyYYJTub33AHAO+1mfBx+kE9oWLcurXIu92iZthhl0gr32eUMG7gcSl/mTc4eJFR4L+pwMY8IlxxiFFLsNPuCQaffas/Cgi4CNNOyui0cWOLgjnbWTImxVaUUDt40vKZP7oeSgAmyb2l9wOSlat6T3qSOfW7nBnx8459ZJPUKhJxuaBTo0pqwjnEI+YPtUtOHAsw16sto58Nq0EuP1HfSgHJxrUlDuOLtK933Cnd6AoRhOveUV9QtQlOx9RJBPZ6x1Ofs0VlEkZYgFa7Ajb1GhAByEm99GMTEAATLvavFaGgCB/WmJ1HSkUsQsB953qjzyOqVEz+o88xPYEXYk6J46LO4t1INBiIjfPehJ1bjvSMbLcrnoXQmcU/7dPAmxOxYbdExv138vVnjYR0MMYaSMPAbJ2R8T/Sw8VRQtwiGX5lv7dtEQBq8d9Ybgc2SKncqgg4Kih4kz66FRafRtt7UEhvkk0j75NIPomc8/3iK3/lPuvYSHS1HHX7FpcoUZ8a3c8spFfzpGTGwUF6dbANZOVtllct5FX9AEKjX2k5rLbwNxENy2RSSmZlR+eo7LgebxygpWMr6/wEbt4CAYragkR/NMyv7SZvRpMvBe0DJ+zdwd0WmW+7iWYjy1eJdbL2iVdKa8WeNZwt+g8leZdSjzu1nidK4n3lwys9oILD5NNkN0SzT0/sY4l1n8hlHweJR5BFnQ6TXF7kbAAAxOaV9cXBUIBaLzg1Vdm62FExYrCnH7fFIaXhoLVJl0yMfttRSNDaXVkd9xRznHlOxYVEi6mDPXhB36PfBwo4x/XYs5rdc3GoUsAdlPLTJWiyQ+49rXN7PDeIFssxwFZ9cEnnY5YOks3n2pQ8aBo15ROJVo1XJ626kzZ/VR+EgsMlHCrnXgyCW2OiFP6w46c0s7MnhfnDFNPBkQg5NGxsxQ+5iLDnCkzBBxIpfGf1e6RHnoWFxXgvV7+HfwlppQWawBT+CMyuJZh8WoU+uO7N24pwpwDk43iNOi41cfNCEjfhQmhxP2HmyFuNJICZl3Xop/NP4CboE2Oiw2c4P0mW3ZX5HZVxRuW4UwlYMJxbVh0EUfVw4SK0sKkooWzxcklnR1L6g4b7KiBziKQsDQRUUQ6U4KIYABrAVBJCNeagN0lqEFJOL8n2GfelI5B1EEL9SZ7j8b3B0XlMYohYj4SHTVTPo0dTOzsp+ruTjtgpBI743R+Vp3dyaPnUsgRoLyPt0GAgkuUQfFuLLtX+w0dTeskGi9PYgKSTpmkWUEE4cYpLvhqtiKjNwX2m/OScf1JNxTEGO4SE/sA7lGQLSbZDzi+laCuMfdlLA1y5QBKuhzf0L9iFpB5/AFkkL3Jd8/2E3dMkwBuslnSvDlWXH6w92gTcnKuEPMcbl86VVTvPNNkFuOjl/nIU2AVTdHGXDjKIBXWGF8rVHKNDg+LnF4AaRKFc07H1gqrVXIDbsigmv/Ga1kd2uAZCAhtlI4cbvXT1Y8twY/CvNoq15ASm7L0HuB4wN3U/yehtnTfKO3+Dbw9eh8YqnXImCxjEP8kqP8SaR15RHc6a8g5CTo8Htrrx2GmUhqu23ASMA4l0z6eznpbG7E0n9vHM+nLOOwuTmpMPy5puVd2yUpyFKUmTMl9VFqXM5OySCv1dRAkHAbgtrEQAnsnww==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></EncryptedAssertion>

Jakieś pomysły, dlaczego autoryzacja nie przechodzi?