Authorization header in null when setting its value to an Encrypted SAML 2 token

Question

I'm using Thinktechture Identity Server to issue my SAML security tokens using the WS-Trust protocol. Then I'm calling my WEB Api with an Authorization http header containing the token. The token is handled successfully using Thinktechture.IdentityModel.

But when I use a certificate to encrypt the sent token (by choosing an Encrypting Certificate in the IDP RP Admin page), the request received by IdentityModel has it's Authorization header set to null (Actually the encrypted value exists inside an "InvalidHeaders" array in the request object).

Using fiddler I replaced the header value to the one I get without encryption, and replying the request works. So it's defiantly something in this header value.

This is the header value that does pass through:

IdSrvSaml <Assertion ID="_6a775e39-a369-4f11-b173-3914ffb21839" IssueInstant="2013-10-21T07:48:43.046Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://login.dev.netformx.com/IDP/issue/wsfed</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6a775e39-a369-4f11-b173-3914ffb21839"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>gj/Iad9M58yBn4US3Uu7V1GUYhOWsFT3OrrMlbtPusg=</DigestValue></Reference></SignedInfo><SignatureValue>U3nQIy/vL2bDOI8sV/YMzc5/iZPfEeFJN3WeuYRVD1sBnWGTEbaElbs3EudrO2nSBtR5EC8WJ7U2AULXm0jRnTPoxLxHxCBstnNozh/Cb82KSpSqF4JGCvAqxKjMv/T05uAylF1hFHH6qFcRG4CilMyo1X99saySVYib6QA7DHg=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDnzCCAwigAwIBAgIJANAP5k4PCG5WMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDE5ldGZvcm14IExURDELMAkGA1UECxMCSVQxFzAVBgNVBAMUDioubmV0Zm9ybXguY29tMR4wHAYJKoZIhvcNAQkBFg9pdEBuZXRmb3JteC5jb20wHhcNMTExMjE5MTI1MjM1WhcNMjExMjE4MTI1MjM1WjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn23JZTi6UMZ+iwsxCP1SGX2Py39BqBH3dDjUdZA00A8x/UWibIgcGlQkA7KNESPwEZBHT2JhebiHosHMOPWe/0lpY7N4FZ9IcMTk1iFrX1I43EEYNlhKAvAnPv1105BUdFs3HtAohqxtJ+R1e+9yUJA0M+9HCj8gotMs/MwYVTQIDAQABo4H6MIH3MB0GA1UdDgQWBBTbT+HBO+s2rhEfvESxKrwgCCx3gzCBxwYDVR0jBIG/MIG8gBTbT+HBO+s2rhEfvESxKrwgCCx3g6GBmKSBlTCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxOZXRmb3JteCBMVEQxCzAJBgNVBAsTAklUMRcwFQYDVQQDFA4qLm5ldGZvcm14LmNvbTEeMBwGCSqGSIb3DQEJARYPaXRAbmV0Zm9ybXguY29tggkA0A/mTg8IblYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA9cFQGXx2dDE9qUdeM7Y82D8Tv/hscyoHX+tu/8ToWnkLQBcfsNwaZFBRkPdeBnzavgMfZ3jage+hD2GD5YM3jfbMlZ+oKrDKDx/YP64ElQeNFqPdG6MitCVWYmM5OkL12Zm7sy/K8FBTTbj0gaRmePqYKQzK2tctOLzg3jDXCJQ==</X509Certificate></X509Data></KeyInfo></Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></Subject><Conditions NotBefore="2013-10-21T07:48:43.037Z" NotOnOrAfter="2013-10-21T17:48:43.037Z"><AudienceRestriction><Audience>https://dev.netformx.com/cloud/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>nfxtest</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>xxx@yyy.com</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"><AttributeValue>CloudReport</AttributeValue><AttributeValue>IdentityServerUsers</AttributeValue><AttributeValue>NetformxCloudUsers</AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/firstname"><AttributeValue>userfirstname                                                                         </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/lastname"><AttributeValue>userlastname                                                                        </AttributeValue></Attribute><Attribute Name="http://identityserver.thinktecture.com/claims/profileclaims/companyname"><AttributeValue>companytestname</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-10-21T07:48:43.019Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>

And this is the header value when encrypting that doesn't pass through:

IdSrvSaml <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>E=it@netformx.com, CN=*.netformx.com, OU=IT, O=Netformx LTD, L=San Jose, S=California, C=US</X509IssuerName><X509SerialNumber>14992454907473718870</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>JPPwxxL06myHcEadsSpEgrMVuIhvyGcb6nDQs1WEFUsjNEAdc+y9S8ISmVO17rhfaA1VJ/OZyrHcZwghltctDfkRWSylpi2/pTm1CIPZpLfVu5vEHB3VTqySEpMVffcitQhKtl7R/Cmp5t/QnbZIUBeDJn+VpjSBaFyYC0R3JsE=</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>URBfgo6BWMQ9tQZEvUvxSdRrBx7IRv5LRmLzcZEEznBa0lKpRG+Yf9lUgWFzEr76aupfc9pkgiBNzxaSvtLdl6BCqINZFirk6CcNqsygHFXOzN13iHcl7UpyarwhwrnjxF+t5XACRRWKQAVTU38M7pThlnIgcbdToiXtluDxghJcpCNDqcWu7QB1nxj/f3mPIA91uFInIdeE7ACLRUFPe+5k/3VC3rjtZgKeaccwx5A/HuHzqto+cG8f1yQ2pGbuGa3YSm8x/TkSy9IpqKRHV57lB3N7Ci+8E0BDTsafZP2RujJAeaWzgeOJGDm2nfNGMI3fgJimzUySGYimwPlwTKJ1RlWXR8Sjfan3a8OVVtByArQgqtkHM2V8oPOwEW97Axk70rK2C8Uf3qKFVaqlOh+iih5QwwDmG/9FNuSYb9B6tThwypV+ne89eGf50hC+S4Vr8AE9ftYV1DflsRDK/4LoLHZowzhyLc+muckNa88dkHxpakxX1MTrYF8SwtJzoTlfRRwpDQG9lZk15YmDTneww9Chh4RRKuH0et8q1mq0F8qBg1DWUAA8zVY/Elg5ubnR5gSqdQPl054Uens27xvW1NKOfMPcI/2iEL+kely4PuBA4DOq7y9K6vn7tcIUbLkeoUfbvlF/adD5BiQbQXBR6i+k/XLYv4nN2E9kgvPFZkqIkgnfiUSWLEnEpk2txbxSVhgDiwHkFqlGhgCnfuXDe8g+MzrwTC+k52cTcuRqpyBbKh3h2YobGNHjkcZGRGIs/I//kx7pjCuhqlxGhLhF/A3RZwhUyIcD8QZkYlFU4k4QTAUIcQURh6p4DEk213XM3MSSviERIILKMPfPh43e9lR6sYWLSQFSq+FWqZLHEeVX/f0IPUysnUAwuooq0M1WsIg/BUI7RehtiBaLLciXlwLMS6e5m6AgiveLuHtCGeAjB/friWvWCpdYMPABzX6vFD3Q5NKeiooFxNfdVGSYRn6cnLjinzhPeeREzvX78hFBeCQfcSBPSFarCKtzijaByyDbO4Y5kK9dC7bEUllQzUwuTd+ySFuZnPwQQdsS/7kHO3sXt/P48hK0BdU7I9ar0UfB4jXXRr712vjBqRoiETmHbEWssydjhUegSyoSm/tAkH2WONkvvha2gLS+L2cXk6LdsY5JTAzsedecirtrlrMiVuZ40xd6Sd5MatM99TdVDusFKuKSsefNDL0/v51Mu9CmPbrOL2eL9o6xs+UfAb2p5mB4DuOm6xI+h9jN1feLw6Cgh2TkKcsDDMVYSIk0n5g1GffPtP9LE4w11vcONEMouk8ykMIBMduoQXf0nrkPQhDuy4evxfAbE2LjfdsBDeKCg+qq9puRZ0yj/IgVlfjViXkBLs3c6wuPOiLFNL2ZN6DlyuF69JUcwFtVlzV9XZVRP15+f+ZfFV6dEzTNSZcgWKL0S+WMOlcr247knLE14jii8uhbmc/Xhfc1gPLgqT1bBfzGkx7aBlbGbItiM6I0yhCTGM4SBLhoNDo5PmhXLyXiNXD/RrvXOkFozPZ+iRVGThen1BVpkPNomiVY6gSH5+pplW+jD4jp4hnQ6OlaZNAi2WeOuslu7y0T68r8wkgKSRbmmp7TyTvXp/v/UmPP/m856S9phrP36KWdRxWaQkVVA832SC7vMt4hqGTHJPT7yWUxrAc2KnVvkHiP4OTc5GIwHf0h2sqD09wMqoKHMfJ+p5eBNSB866YQ3L+yyUGu9yKEznXrA58X7K1xK8JcnDZbeahIK4Dm4aIhAIRliWD4vI6sb3d5fnpGnlbA4GZ5xA2pzqxDRj/qraBGJIJTl1ew9XjU4NxraxT6tFDQjLLflek/dbD7HG2ssF1P0d2SpFMGSPGgjMUdxzz8ZcyVB5KG3loQlphtd4NoOfAj3ML5PNTFqKEWfMRrfcYZTPI4rRTnDQG0hjasH5sITPfczr67foPwaEAI7XE1ylQaO0eh6iDTtlaN4i2Ny8CFPejyAk3stf7cxaWobtNOCqo+s4GGmKLdtbRzQMUg+643apAm9gJd0f5AixLBAQ9NNytfQ8ZHoYnz/5EVeZhGweG9cFIjTg+Qt4ElguNCAsjuL4iixt6xEzyBsdh/mO2V3ZZmX3QHyZsh60dINngD2jNQdW/vbNqqIbHfDuhE4jtmbxIelc6NXzBft5L1VWJxunAm2t7kRwbcRRWdQNaXnE/rRPwovWPI+odNwgNPP6xamDSfh5LgCEBIwI7s4hD2RBRarCXkgP/t7fWjYB8Z5rpOnaMIAGTBknmKmlvjDG1/wWAyDTuIcg9CLaWz6A8E1DOjSnDznxp2+Vh8sLzDcQwxWrCKQ4bDNbpL3MPtn0IEL8v7gCRyRr45nyyyXePGj6uJQ3mTu3iq28DkQtcHctEUWLXxbp66ozzktrPMSUEHj0ORaH/aXDQqZarjsf99qTLPsExJDKvEofrTr/ks0/8/ojQj4uQ2ZJGzKztjuR2NTqZEWmq6blYqlT1N4RVxg/n1fUWoXlpL31DoTesySlbypNQKROTyUUxEatCX/2STqwp4mwwM+TiirgVsM3AdOGa5mQNIYh3+enJA+RjIdWzRImjxxmdLeEDkXWnoQl6w5XSHxIHKZZ03deAUQK5cRF3Sn8rOEyQGeDjiy2o7S7UL8F+fgpcuiP9NHiCsJpl7F+LQ1LNjeGDSjFWwHaAXxttIG1hXLRdFvHB5HLskdAFcgisYWpkNQoQKEt9X7aDS8x7zsQJwrCzrBaTEMh+zSHGCpwApB3iqJDWlaARyJkW9vEhROnpAQllDbGhiHif3WupwUpS02hEgjcu6vVrRuKx0OcGJbSsFRfCWK7GQRFYW5tvG+Q8IZidnXj99q1HEzaARsWrDJv+rxE7Y+6W4qYlw0cW/73O7WF94q8uo+si08oupjpw3Fi2OBWg0mlZBqoWWLk7tzRWW6tFPV2GkN7ju5U7b0vqRY4IZANxogf23VTeeyPLvcWn64locrBui8IOxLTBOnqYrcJK6yIVF/PUOqqeyQMjI9jtMw1hP/+fZ9CDpLsXm6yBBzQF6TSrTag4Z824PitoOaBBn7Vx9rvG/rU8Vu+Z68j3LyX3MBU2WhdUWqqVFsNOFlYb3Z5dySbB8U7SZ1muw+EIcF4cEcVAW7A4OszQr9MRezcUKcaYc269pMeEpbUcK+K0pR8R4DvSKP/OWYs4ajrz/lRBImCidVbeslhPeF3H3blnQa0txVXD2izlNUPUIeS2nq4FThL7DxKXzUtMwcRwJJWIhYptmHYEdLuJcQ7E5BLJM0H2KC8/YuSYEyGNj3+HfIXhwKOPSL0alJs16lvxvEzm3gMosmiwCi8hze6aRS1uxco9sYRfuIhMj2O3zZ4zV9MBUyceT7FZhMOr4CdFSKgB+aW2LJgL8ljmrBy8G8YexQh4jgc+HA+655mBd1FWxhKllLCmlGaqKMCx8oYUHkqi8ziflWLY3QRM21ZkbziRH8WYYTsoHfzb7qfV9N2/ptojDsyvLed53kWu9kpamy4dcnhtP4UU49T16V86CKDt259hs8Z5nx2VaLqCcBilLghGDdx+p/j/qq+BdaY79NUce5KXjiXfuRtvZdqSjMqLeX52Wp176ycJ9TlCEPdCezaUjjStVmufJEaAoMMnmOvjB+6Jo5Hfnn0NNCUvBQDyYYJTub33AHAO+1mfBx+kE9oWLcurXIu92iZthhl0gr32eUMG7gcSl/mTc4eJFR4L+pwMY8IlxxiFFLsNPuCQaffas/Cgi4CNNOyui0cWOLgjnbWTImxVaUUDt40vKZP7oeSgAmyb2l9wOSlat6T3qSOfW7nBnx8459ZJPUKhJxuaBTo0pqwjnEI+YPtUtOHAsw16sto58Nq0EuP1HfSgHJxrUlDuOLtK933Cnd6AoRhOveUV9QtQlOx9RJBPZ6x1Ofs0VlEkZYgFa7Ajb1GhAByEm99GMTEAATLvavFaGgCB/WmJ1HSkUsQsB953qjzyOqVEz+o88xPYEXYk6J46LO4t1INBiIjfPehJ1bjvSMbLcrnoXQmcU/7dPAmxOxYbdExv138vVnjYR0MMYaSMPAbJ2R8T/Sw8VRQtwiGX5lv7dtEQBq8d9Ybgc2SKncqgg4Kih4kz66FRafRtt7UEhvkk0j75NIPomc8/3iK3/lPuvYSHS1HHX7FpcoUZ8a3c8spFfzpGTGwUF6dbANZOVtllct5FX9AEKjX2k5rLbwNxENy2RSSmZlR+eo7LgebxygpWMr6/wEbt4CAYragkR/NMyv7SZvRpMvBe0DJ+zdwd0WmW+7iWYjy1eJdbL2iVdKa8WeNZwt+g8leZdSjzu1nidK4n3lwys9oILD5NNkN0SzT0/sY4l1n8hlHweJR5BFnQ6TXF7kbAAAxOaV9cXBUIBaLzg1Vdm62FExYrCnH7fFIaXhoLVJl0yMfttRSNDaXVkd9xRznHlOxYVEi6mDPXhB36PfBwo4x/XYs5rdc3GoUsAdlPLTJWiyQ+49rXN7PDeIFssxwFZ9cEnnY5YOks3n2pQ8aBo15ROJVo1XJ626kzZ/VR+EgsMlHCrnXgyCW2OiFP6w46c0s7MnhfnDFNPBkQg5NGxsxQ+5iLDnCkzBBxIpfGf1e6RHnoWFxXgvV7+HfwlppQWawBT+CMyuJZh8WoU+uO7N24pwpwDk43iNOi41cfNCEjfhQmhxP2HmyFuNJICZl3Xop/NP4CboE2Oiw2c4P0mW3ZX5HZVxRuW4UwlYMJxbVh0EUfVw4SK0sKkooWzxcklnR1L6g4b7KiBziKQsDQRUUQ6U4KIYABrAVBJCNeagN0lqEFJOL8n2GfelI5B1EEL9SZ7j8b3B0XlMYohYj4SHTVTPo0dTOzsp+ruTjtgpBI743R+Vp3dyaPnUsgRoLyPt0GAgkuUQfFuLLtX+w0dTeskGi9PYgKSTpmkWUEE4cYpLvhqtiKjNwX2m/OScf1JNxTEGO4SE/sA7lGQLSbZDzi+laCuMfdlLA1y5QBKuhzf0L9iFpB5/AFkkL3Jd8/2E3dMkwBuslnSvDlWXH6w92gTcnKuEPMcbl86VVTvPNNkFuOjl/nIU2AVTdHGXDjKIBXWGF8rVHKNDg+LnF4AaRKFc07H1gqrVXIDbsigmv/Ga1kd2uAZCAhtlI4cbvXT1Y8twY/CvNoq15ASm7L0HuB4wN3U/yehtnTfKO3+Dbw9eh8YqnXImCxjEP8kqP8SaR15RHc6a8g5CTo8Htrrx2GmUhqu23ASMA4l0z6eznpbG7E0n9vHM+nLOOwuTmpMPy5puVd2yUpyFKUmTMl9VFqXM5OySCv1dRAkHAbgtrEQAnsnww==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></EncryptedAssertion>

Any ideas why the Authorization heaedr doesn't pass through?

Answer 1

The encrypted SAML has invalid characters. You need to base64 encode it.