Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] Embedded SecurityTokenReference in EncryptedKey (Unsupported key identification)

Subject: OpenSAML user discussion

List archive

[OpenSAML] Embedded SecurityTokenReference in EncryptedKey (Unsupported key identification)


Chronological Thread 
  • From: Enrique Sabatel <>
  • To:
  • Subject: [OpenSAML] Embedded SecurityTokenReference in EncryptedKey (Unsupported key identification)
  • Date: Fri, 18 Mar 2011 12:26:11 +0100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=awrOBid/3tq5uGMuCU4MXbSE6Yw+yxBsCIxexIIvYS20MfjnQ+Sqx4qKjYWn2CXToL Yx4u6E9KTSn8i/WI1Q1aa7pnyRJd9ZekmYreXc/ObzrgL5rPTsR8g67ZwFsY1VD+4Oqn X3f3hT7kC76R6X99ZKPPqDPDDJLkNxagSZzNg=
I have generated and successfully validated a SAML token in which subjectconfirmation element is as follows:

 <saml2:SubjectConfirmation Method="urn:oasis:names:tc:2.0:cm:holder-of-key">
                     <saml2:SubjectConfirmationData NotBefore="2011-03-18T11:00:51.792Z" NotOnOrAfter="2011-03-18T11:05:51.792Z" xsi:type="saml2:KeyInfoConfirmationDataType">
                        <ds:KeyInfo>
                           <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-4A787BE16A9F37BE9712928485377682">
                              <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                              <ds:KeyInfo>
                                 <wsse:SecurityTokenReference>
                                    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">t84A4I7a6WZYL3byvSUu6VLfEVA=</wsse:KeyIdentifier>
                                 </wsse:SecurityTokenReference>
                              </ds:KeyInfo>
                              <xenc:CipherData>
                                 <xenc:CipherValue>U50IKQoPt58IsZYqAB3D/vrp4t7+JLBirUzYeXek7kKJhQR9ieX23OVEHmqLyl0FK76Nqc0Kl4SQ&#xd;Rnf71O69hRYZ1I8Zw/KIifONRftUt5hCoX7nFI5IPF3lElIgZVCMLvyHuIZvr6NGM3bXEfYIBaJh&#xd;QVNK2SMt3ZWi5CsJErM=</xenc:CipherValue>
                              </xenc:CipherData>
                           </xenc:EncryptedKey>
                        </ds:KeyInfo>
                     </saml2:SubjectConfirmationData>
                  </saml2:SubjectConfirmation>

However, when i change the SecurityTokenReference to Embedded, like this:

<wsse:SecurityTokenReference>
                                    <wsse:Embedded>
                                       <wsse:BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SomeCert">MIIC....1M=</wsse:BinarySecurityToken>
                                    </wsse:Embedded>
</wsse:SecurityTokenReference>

I get this error

An error was discovered processing the <wsse:Security> header (Unsupported key identification)

Shouldnt this kind of token reference be supported?? Or am i missing something?

Archive powered by MHonArc 2.6.16.

Top of Page