It's doing my head in.... What am i missing here... must be something with the timestamp, because when i play with those i get different errors...
I've got the following envelope (which is how the provider gave it to me to use) But it keepis giving me
<s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body>
this is my code:
$c = $this->getTimestamp();
$e = $this->getTimestamp(300);
$envelope = '
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
<a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>'.$c.'</u:Created>
<u:Expires>'.$e.'</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46">
<o:Username>'.$username.'</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>'.$appliesTo.'</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
';
$soap_do = curl_init();
curl_setopt($soap_do, CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed");
curl_setopt($soap_do, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($soap_do, CURLOPT_HEADER, 0);
curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($soap_do, CURLOPT_TIMEOUT, 20);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($soap_do, CURLOPT_POST, true );
curl_setopt($soap_do, CURLOPT_POSTFIELDS, $envelope);
curl_setopt($soap_do, CURLOPT_HTTPHEADER, array('Content-Type: application/soap+xml; charset=utf-8'));
$this->payload = curl_exec($soap_do);
You are putting the current timestamp in both the Created
element and the Expires
element. That means that when the receiver receives the RST, the message will have expired and the receiver will be forced to reject it. Use e.g.:
gmdate("Y-m-d\TH:i:s\Z", time() + 300);
for the Expires
element.
Also check for clock drift: the time on the client as well as the server should be synchronized.
Last but not least: by default ADFS 2.0 will try and encrypt the token in the response so it requires the configuration of an encryption certificate for the Relying Party. Make sure that you've configured one for the entity associated with appliesTo
. The ADFS error logs should give you a hint about that error.