wood burning stoves 2.0
The moose likes Web Services and the fly likes WCF, Rampart, ADFS2 and SAML Interop issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WCF, Rampart, ADFS2 and SAML Interop issue" Watch "WCF, Rampart, ADFS2 and SAML Interop issue" New topic

WCF, Rampart, ADFS2 and SAML Interop issue

Jason Rattos

Joined: Jan 08, 2003
Posts: 3

I'm working on establishing interoperability between .NET WCF 3.5 and Axis2/Rampart using ADFS2 as the STS and using SAML authentication.

Initially I used Axis 1.4.1/Rampart 1.4 but in an attempt to rule out issues relating to WS-* standards compatbility have also created a duplicate environment running Axis 1.5.1/Rampart 1.5. Both envionment use Eclipse 3.5.1 (Galileo)/Tomcat 5.5 for the Java service side.

My objective is:
WCF->ADFS2->SAML token->Axis2/Rampart

Using Kerberos authentication to obtain a SAML token from ADFS2 and propagating this to Rampart.

Much progress has been made so far, but the error I'm now getting on Rampart is as follows (on both versions 1.4 & 1.5):

[ERROR] General security error (SAML token security failure)
org.apache.axis2.AxisFault: General security error (SAML token security failure)

Caused by: org.apache.ws.security.WSSecurityException: General security error (SAML token security failure)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(SAMLUtil.java:169)
at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(SAMLUtil.java:73)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:170)
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:74)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:144)

After building source versions for Rampart (just 1.4 so far) I've traced this problem to the following source code:


Element e = samlSubj.getKeyInfo();
X509Certificate[] certs = null;
try {
KeyInfo ki = new KeyInfo(e, null);

if (ki.containsX509Data()) {
X509Data data = ki.itemX509Data(0);
XMLX509Certificate certElem = null;
if (data != null && data.containsCertificate()) {
certElem = data.itemCertificate(0);
if (certElem != null) {
X509Certificate cert = certElem.getX509Certificate();
certs = new X509Certificate[1];
certs[0] = cert;
return new SAMLKeyInfo(assertion, certs);

The line ki.containsX509Data() above return false and fails.

The value from the Element e is as follows:
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<o:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<X509IssuerName>CN=Root Agency</X509IssuerName>

The attempt to obtain the X509 data above is failing even when it appears in the message? (IssuerSerial).
All references I've seen so far indicate that the style of X509 reference is supported by Rampart and WSS4J (default?!).

This key reference is the certificate that ADFS2 has used to encrypt the message.

Any help at all would be greatly appreciated!

Thanks Jason

A dharmag

Joined: Jul 27, 2010
Posts: 1
Hi Jason,
I am looking to implement a similar use case as yours.
In my case, I need to write a Java Client to talk to a ADFS2 STS and use SAML authentication which I believe can be done with Axis2/Rampart.

I am new to axis2 and Rampart. I am looking for some help as to how to implement this.
I was wondering if you have any references you may have used.
Is it possible for you to share sample code of your implementation ?
Any help would be appreciated.

Khary Mendez

Joined: Aug 18, 2010
Posts: 1
Hi Jason,
I too am interested in the progress you have made so far and any code you would be willing to make available. I will soon be attempting to prototype similar capabilities. Have you considered using any of the APIs provided by GlassFish Metro for accessing the STS as Metro is supposed to be designed to interoperate with .Net? Thanks for any info!
Jason Rattos

Joined: Jan 08, 2003
Posts: 3
Hi Guys,

I've only just looked at this problem again recently. At the moment, i'm trying to use the BearerKey confirmation method instead of the Holder-of-Key confirmation method which I'd started using from the beginning.

I'm still not having any luck with this approach either so far but am still trying to narrow down the issue. It is not clear whether or not Rampart actually supports BearerKey or not.

Will keep posted as this progresses.

Jason Rattos

Joined: Jan 08, 2003
Posts: 3
An update...

I've decided to abandon any more effort attempting to get this to work using Rampart.

Neither HoK or BearerKey work. This is indeed very disappointing given the number of Axis2 web service users.

This is already an open issue on Rampart which parallels my experience so far:


As an alternative I plan to develop my own SOAP/SAML interceptor instead using an open source API that can do the job.

Good luck!
I agree. Here's the link: http://aspose.com/file-tools
subject: WCF, Rampart, ADFS2 and SAML Interop issue