I am writing a WCF client for a third-party SOAP service (on a Java backend I believe) that uses SSL transport, mutual authentication and digital signing.
I have established the connection via SSL and am signing the request correctly with the relevant client certificates. The request goes through successfully and the third-party has confirmed the validity of the message that I am sending.
However, the problem comes when we receive the response from the service.
The response comes back with a signed timestamp and body.
There is a BinarySecurityToken and a SecurityTokenReference with a Reference field of type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
At the moment, I am getting the following exception from the client:
Exception encountered: System.ServiceModel.Security.MessageSecurityException: Cannot find a token authenticator for the ‘System.IdentityModel.Tokens.X509SecurityToken’ token type. Tokens of that type cannot be accepted according to current security settings.
I am currently using a customBinding configured as follows:
<customBinding>
<binding name="Custom">
<security
defaultAlgorithmSuite="Basic256Rsa15"
allowSerializedSigningTokenOnReply="true"
authenticationMode="CertificateOverTransport"
securityHeaderLayout="Strict"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
I can’t find any information on how to use this BinarySecurityToken to verify the signing of the response or even how to configure the client to accept “Tokens of that type”
Thanks in advance for any help or suggestions,
PhilHalf
It turns out that by changing the messageSecurityVersion to:
has resolved the problem and I can now process security tokens being returned