SAML Token format?
https://stackoverflow.com//questions/9626539
-
09-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have some working code that I have been using on a test O365 site- it works perfectly. I can authenticate, and pull data using the sharepoint client object model.
On another site, that was migrated from BPOS, claims based auth fails. Specifically, in the SAML token for the working site the structure is like this:
<wst:RequestedSecurityToken>
<wsse:BinarySecurityToken Id="Compact0">bunch of token stuff here</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>
On the site that does NOT work, this section looks like this:
<wst:RequestedSecurityToken>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SKI>stuff in here</ds:X509SKI>
</ds:X509Data>
<ds:KeyName>microsoftonline.com</ds:KeyName>
</ds:KeyInfo>
<CipherData>
<CipherValue>lots of stuff in here</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>Loads more stuff in here</CipherValue>
</CipherData>
</EncryptedData>
</wst:RequestedSecurityToken>
This is really different! The surrounding areas look pretty much the same as far as I can tell.
What is this telling me? That authentication has failed? The claims auth code I am using is dependent on the 'BinarySecurityToken', so this is why it fails- its not there.
Is there some sharepoint setting I need to tweak? Contact MS support? Anyone?
Solution
It's an encrypted response using a KEK (Key Encryption Key). You'll need the public key of the sender to decrypt the EncryptedKey. That lets you use that key to decrypt the CipherData which is what you're after I would think.
