Post an updated working example. See WORKING EXAMPLE below.
Problem. The .NET client cannot use the SOAP message associated with the SAML 2.0 identity statement signed by the link using the STR-TRANSFORM algorithm.
Java message producer: Spring and WSS4J
.NET Client Client: Version 4.5.1
SAML: version 2.0, Sender-Vouches confirmation method; the statement itself is signed; the statement is also signed at the message level by reference using the STR-TRANSFORM algorithm.
The .NET client fails:
<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
The Microsoft hotfix ( http://support.microsoft.com/kb/974842 ) for the .NET 3.5 platform allows the .NET message producer to communicate with a SOAP message bound to a SAML statement signed with a link by defining a user binding in web.config. But we could not understand how to force the .NET client to use such a message.
EDIT:
, . . . , .NET SOAP-, SAML, , STR-TRANSFORM, , . .NET .
.NET :
An error occurred: 'System.Security.Cryptography.CryptographicException: Unknown transform has been encountered.
at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)
at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)
at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)
at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)
, , URI , .NET. , , .NET :
<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
3.4.3 (SAML Assertion Referenced from SignedInfo) OASIS Web Services Security SAML Token Profile 1.1.1 , " SAML, ."
.NET . WSS4J OpenSAML , .
- .NET machine.config STR-TRANSFORM?
UPDATE, .NET:
( " " ), System.Security.Cryptography.Xml.Reference.LoadXML :
Transform transform = CryptoConfig.CreateFromName(attribute) as Transform;
:
if (transform == null) {throw new CryptographicException (SecurityResources.GetResourceString( "Cryptography_Xml_UnknownTransform" )); }
System.Security.Cryptography.CryptoConfig.CreateFromName machine.config, , .NET.
STR-Transform, machine.config, - ?
<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass strtransform="Custom.Class.StrTransformProvider,Custom.Class" />
</cryptoClasses>
<nameEntry name="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" class="strtransform" />
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>
. , Java, .NET-, . WSS4J OpenSAML. # . , .
, # . (- .) C:\Temp\Payload.xml, #. Visual Studio 2010 .NET 4.0 . , Visual Studio. , , .NET.
# :
signedXml.LoadXml((XmlElement)node);
:
A first chance exception of type 'System.Security.Cryptography.CryptographicException' occurred in System.Security.dll
********* ERROR: System.Security.Cryptography.CryptographicException: Unknown transform has been encountered.
at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)
at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)
at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)
at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)
at TestSignatureVerification.Program.ValidateDocument(XmlDocument docToTest) in ... Program.cs:line 59
at TestSignatureVerification.Program.VerifyXMLSignature(String xmlFileLocation) in ... Program.cs:line 26 *********
, . , . . , , XOP, .
wsse: , :
- wsse: BinarySecurityToken ( x509 SOAP)
- saml2: Assertion ( , SOAP
, SAML Sender-Vouches
)
- wsse: SecurityTokenReference ( wsse: BinarySecurityToken
ds: Signature - . )
- ds: ( SAML)
SAML :
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
, SAML STR-Transform. , .NET " ". , http://www.w3.org/2001/10/xml-exc-c14n# "" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" , " ", (, , ) ( , ).
, saml2: Assertion ds: Signature. , , . SOAP , . , , SOAP , , Token Service, SAML, SOAP , . , , , ( - , - SOAP).
Google . ds: X509Certificate SAML www.google.com. Google () SAML, SOAP, . SOAP, https://www.example.com, , SAML.
XPath ds: Signature . SAML ds: Signature . ( SOAP), " (! Status) break" . SAML. " ". ; . SAML .
#
using System;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography.Xml;
using System.Xml;
using System.Collections.Generic;
using System.Diagnostics;
namespace TestSignatureVerification
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine(VerifyXMLSignature(@"C:\Temp\Payload.xml").ToString());
}
public static bool VerifyXMLSignature(string xmlFileLocation)
{
try
{
XmlDocument docToTest = new XmlDocument();
docToTest.PreserveWhitespace = true;
docToTest.XmlResolver = null;
docToTest.Load(xmlFileLocation);
return ValidateDocument(docToTest);
}
catch (Exception e)
{
Debug.WriteLine("********* ERROR: " + e.ToString() + " *********");
return false;
}
}
public static bool ValidateDocument(XmlDocument docToTest)
{
bool status = true;
XmlNamespaceManager manager = new XmlNamespaceManager(docToTest.NameTable);
manager.AddNamespace("wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
XmlNodeList securityList = docToTest.SelectNodes("//wsse:Security", manager);
X509Certificate2 cert = getCertificate(securityList[0]);
manager.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
XmlNodeList nodeList = docToTest.SelectNodes("//ds:Signature", manager);
Debug.WriteLine("Count of Signature nodes: " + nodeList.Count);
SignedXml signedXml = new SignedXml(docToTest);
foreach (XmlNode node in nodeList)
{
Debug.WriteLine("InnerXML: " + node.InnerXml);
signedXml.LoadXml((XmlElement)node);
status = signedXml.CheckSignature(cert, true);
Debug.WriteLine("CheckSignature status: " + status);
}
return status;
}
private static XmlElement retrieveHeader(XmlDocument xmlContent)
{
return xmlContent.ChildNodes.OfType<XmlElement>().First(e => e.Name.Contains("Envelope")).ChildNodes.OfType<XmlElement>().First(e=> e.Name.Contains("Header"));
}
private static X509Certificate2 getCertificate(XmlNode securityNode)
{
XmlElement binarySecurityToken = (
from element in securityNode.ChildNodes.OfType<XmlElement>()
where element.Name.Contains("BinarySecurityToken")
select element).First();
string encodedCertificate = binarySecurityToken.InnerText;
byte[] decodedContent = Convert.FromBase64String(encodedCertificate);
return new X509Certificate2(decodedContent);
}
}
}
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-81591DAC97D1A4EF26139995608718319">MIIROTCCECGgAwIBAgIQD2AtUFHRJ/PkEI4BTHIMwDANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBDQS0zMB4XDTExMTAwMzAwMDAwMFoXDTE0MTIxMDEyMDAwMFowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDFNhbnRhIE1vbmljYTEgMB4GA1UEChMXRWRnZUNhc3QgTmV0d29ya3MsIEluYy4xIDAeBgNVBAMTF2dwMS53YWMuZWRnZWNhc3RjZG4ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1K3ZOsUnhUTxZgquo3P2QZ3KJxdugFaKGfPIxkaEaX4pQl6uOVCjcMbzsh/RoW3XBGbo1Gp9KibpYMCwjSYyRNvr4TZsjjLoY1+WfFIHD+3PwkFyIzQo9oZdr9hViSI0DENmdqTbJJVODuQt4jjUgNuCTIRdPrHS+MR4OTwvtGQRwc358/deZVdoWNMhcyBQaxXGVZskJpFKHr3waFW5yMt4JGy2QuCMYZCNHftZlLLXOezcWZBldxi/BNTTDgeQvzZNCNR290qu2hddqF6vivjbgBncRhEQ1ZVdTHON7iy5e66smEKtDNmfBobHHUvOuhOYXNhawiayJuYgvriVQIDAQABo4INyjCCDcYwHwYDVR0jBBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cwHQYDVR0OBBYEFBQVJB6vf7Wp91ztREPqVFypreKRMIIMIQYDVR0RBIIMGDCCDBSCF2dwMS53YWMuZWRnZWNhc3RjZG4ubmV0ghN3YWMuZWRnZWNhc3RjZG4ubmV0ghZuZS53YWMuZWRnZWNhc3RjZG4ubmV0gg1zd2YubWl4cG8uY29tghVjZG4udHJhY2VyZWdpc3Rlci5jb22CDnMudG1vY2FjaGUuY29tghFzLm15LnRtb2NhY2hlLmNvbYINZTEuYm94Y2RuLm5ldIINZTIuYm94Y2RuLm5ldIINZTMuYm94Y2RuLm5ldIINd3d3LnNvbm9zLmNvbYIac3RhdGljLWNhY2hlLnRwLWdsb2JhbC5uZXSCFXNzbC1jZG4uc29tZXRyaWNzLmNvbYIjY2FjaGUudmVoaWNsZWFzc2V0cy5jYXB0aXZlbGVhZC5jb22CEXN0YXRpYy53b29wcmEuY29tgg9pbWFnZXMuaW5rMi5jb22CF2Fzc2V0cy1zZWN1cmUucmF6b28uY29tggxlYy5wb25kNS5jb22CFWltYWdlcy5lc2VsbGVycHJvLmNvbYIPdXNlLnR5cGVraXQuY29tghFzdGF0aWMuaXNlYXR6LmNvbYIVc3RhdGljLnd3dy50dXJudG8uY29tghhpbnBhdGgtc3RhdGljLmlzZWF0ei5jb22CF3NlY3VyZS5hdmVsbGVhc3NldHMuY29tghBzdGF0aWMuZHVibGkuY29tghR3d3ctY2RuLmNpbmFtdXNlLmNvbYITd3d3LWNkbi5jaW5lYmxlLmNvbYIVd3d3LWNkbi5jaW5lbWFkZW4uY29tghR3d3ctY2RuLmZpbG1sdXNoLmNvbYIWd3d3LWNkbi5mbGl4YWRkaWN0LmNvbYIRd3d3LWNkbi5pdHNoZC5jb22CFHd3dy1jZG4ubW92aWVhc2UuY29tghV3d3ctY2RuLm1vdmllbHVzaC5jb22CEnd3dy1jZG4ucmVlbGhkLmNvbYIUd3d3LWNkbi5wdXNocGxheS5jb22CE2NkbjEuZmlzaHBvbmQuY28ubnqCFGNkbjEuZmlzaHBvbmQuY29tLmF1gg13d3cuaXNhY2Eub3JnghJjZG4ub3B0aW1pemVseS5jb22CFXN0YXRpYy5zaG9lZGF6emxlLmNvbYIYd3d3LnRyYXZlbHJlcHVibGljLmNvLnVrgg5jZG4ubnByb3ZlLmNvbYISc3NsYmVzdC5ib296dHguY29tghZ3d3cudHJhdmVscmVwdWJsaWMuY29tghV3d3cuYmxhY2tsYWJlbGFkcy5jb22CEGNkbi53aG9pcy5jb20uYXWCF25lMS53YWMuZWRnZWNhc3RjZG4ubmV0ghdnczEud2FjLmVkZ2VjYXN0Y2RuLm5ldIIYYzEuc29jaWFsY2FzdGNvbnRlbnQuY29tghV3d3cuc3RlZXBhbmRjaGVhcC5jb22CFnd3dy53aGlza2V5bWlsaXRpYS5jb22CEXd3dy5jaGFpbmxvdmUuY29tghB3d3cudHJhbWRvY2suY29tghB3d3cuYm9ua3Rvd24uY29tghB3d3cuYnJvY2lldHkuY29tghNlZGdlY2FzdC5vbmVncnAuY29tggtjZG4ucHN3Lm5ldIIOY2RuLmdhZ2dsZS5uZXSCFHd3dy1jZG4ucmVlbHZpZHouY29tgg5mYXN0LmZvbnRzLmNvbYISZWMueG5nbG9iYWxyZXMuY29tgg9pbWFnZXMudnJiby5jb22CEmJldGEuZmlsZWJsYXplLm5ldIIaY2RuLmJyYW5kc2V4Y2x1c2l2ZS5jb20uYXWCEXd3dy1jZG4uaXJlZWwuY29tghBjZGNzc2wuaWJzcnYubmV0ghFjZG4uYmV0Y2hvaWNlLmNvbYIQcGxheWVyLnZ6YWFyLmNvbYIUZnJhbWVncmFicy52emFhci5jb22CEHRodW1icy52emFhci5jb22CG3N0eWxpc3Rsb3VuZ2Uuc3RlbGxhZG90LmNvbYIRd3d3LnN0ZWxsYWRvdC5jb22CEWNvbnRlbnQuYXFjZG4uY29tghZjb250ZW50LmViZ2FtZXMuY29tLmF1ghVjb250ZW50LmViZ2FtZXMuY28ubnqCE2ltYWdlcy5wYWdlcmFnZS5jb22CFGltYWdlcy5hbGxzYWludHMuY29tghZjZG5iMS5rb2Rha2dhbGxlcnkuY29tghFjZG4ub3JiZW5naW5lLmNvbYITY2RuLnF1aWNrb2ZmaWNlLmNvbYITY29udGVudC5nbHNjcmlwLmNvbYIOY2RuLmJpZGZhbi5jb22CFG1lZGlhLnF1YW50dW1hZHMuY29tghVjZG4uYWxsZW5icm90aGVycy5jb22CEXBpY3MuaW50ZWxpdXMuY29tghVwaWNzLnBlb3BsZWxvb2t1cC5jb22CFXBpY3MubG9va3VwYW55b25lLmNvbYIQY2RuMS1zc2wuaWhhLmNvbYIOcy5jZG4tY2FyZS5jb22CE2NkbjItYi5leGFtaW5lci5jb22CDGNkbi50cnRrLm5ldIIQZWRnZWNkbi5pbmsyLmNvbYIeZWMuZHN0aW1hZ2UuZGlzcG9zb2x1dGlvbnMuY29tgg5jZG4uY2x5dGVsLmNvbYIXd2VsY29tZTIuY2Fyc2RpcmVjdC5jb22CEnMxLmNhcmQtaW1hZ2VzLmNvbYIPdXBkYXRlLmFsb3QuY29tghJ3d3cub3V0c3lzdGVtcy5jb22CEHd3dy5kcndtZWRpYS5jb22CE2xvb2t1cC5ibHVlY2F2YS5jb22CDmNkbi50YXhhY3QuY29tghRjZG4udGF4YWN0b25saW5lLmNvbYIOY2RuLjIwMDU4MS5jb22CDWltZy52eGNkbi5jb22CDGpzLnZ4Y2RuLmNvbYIMd3d3LmdvYWwuY29tghZjZG5zMS5rb2Rha2dhbGxlcnkuY29tghZlZGdlLmRyb3Bkb3duZGVhbHMuY29tghFlZGdlLnBhZ2VyYWdlLmNvbYIVZWRnZS5zYW5pdHlzd2l0Y2guY29tgg9lZGdlLnlvbnRvby5jb22CEWxheWVycy55b250b28uY29tghRjZG4ud2lkZ2V0c2VydmVyLmNvbYISd3d3LmNsb3Vkd29yZHMuY29tghBlZGdlLmFjdGFhZHMuY29tghVpbWFnZXMuc2tpbmNhcmVyeC5jb22CEnNzbC5jZG4tcmVkZmluLmNvbYIVc21hbGwub3V0c28tbWVkaWEuY29tghBjZG4uZm94eWNhcnQuY29tghVlZGdlLmplZXR5ZXRtZWRpYS5jb22CEWNkbi50aWNrZXRmbHkuY29tghdpbWFnZXMuY29zbWV0aWNtYWxsLmNvbYITd3d3LmJhY2tjb3VudHJ5LmNvbYIOc3NsLmJvb3p0eC5jb22CDXAudHlwZWtpdC5uZXSCD3VzZS50eXBla2l0Lm5ldIIUY2RuLnRoZXdhdGVyc2hlZC5jb22CH3N0YXRpYy5jZG4uZG9sbGFyc2RpcmVjdC5jb20uYXWCGGVkZ2UucmVkZm9yZG1lZGlhbGxjLmNvbYIXZWRnZS5wbHVyYWxtZWRpYWxsYy5jb22CGnd3dy5nb3VybWV0Z2lmdGJhc2tldHMuY29tghp3d3cubnVtYmVyaW52ZXN0aWdhdG9yLmNvbYIdYjJicG9ydGFsLmRpc25leWxhbmRwYXJpcy5jb22CImIyYnBvcnRhbC5kaXNuZXl0cmF2ZWxhZ2VudHMuY28udWuCC3d3dy5ud2Yub3JnghJhc3NldHMuemVuZGVzay5jb22CDGEuY2Rua2ljLmNvbYIMcy5jZG5raWMuY29tghl3d3cuc3VwZXJiaWtldG95c3RvcmUuY29tghZjZG4uc3R5bGV0aHJlYWQuY29tLmF1ghJjZG4uY2FydHJhd2xlci5jb22CI3B1YmxpY3N0YXRpY2Nkbi50YWJsZWF1c29mdHdhcmUuY29tghNzZWN1cmUuMzNhY3Jvc3MuY29tgg5jLnp0c3RhdGljLmNvbYIMYy5tc2NpbWcuY29tghhzdGF0aWMudGVhbXRyZWVob3VzZS5jb22CEHd3dy5lZGdlY2FzdC5jb22CGHdhYy5hOGI1LmVkZ2VjYXN0Y2RuLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZzI3LmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1nMjcuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VDQS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBgDQfkvzhPs4cvyN0P+Ztwh7/u8peAVPxfP6bs0zT55v5QbHFapmuvCyP40oNrGYbNArrN0ZbchA2vpYWhyLpi6VIRNeH0nQM7nn8HxkrHcAGjjHYn7VNIHg+AR+Mrx1WhFE5kaaw6e7DZh/vbshx6DRW2pqSvdDu2v2l/V4oli1iz0lYkVl/yLXXCNWpQHQhI2tcQ0YI5suw/NlXJ7f6De0SFEtsf2K65XKF2mrqVX1amiNbiyqKD40i7qYI7XaAX5Rf+YXfcgcGH6svRchDeNlMXmfS53IFmi7/aToZRkp+pLA5fQ1QsJmPjf8cwVX4+tWFNhVLH/kUZKZ1gqL/R</wsse:BinarySecurityToken>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_81591DAC97D1A4EF26139995608705916" IssueInstant="2014-05-13T04:41:27.065Z" Version="2.0" xsi:type="saml2:AssertionType">
<saml2:Issuer>
www.example.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_81591DAC97D1A4EF26139995608705916">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Q8nxma/rf1XRfxq46oR7vaj/1yA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CzkNUiZppovAIY/atOQzRQfirJ8yFcwbTnwSz8tKcJgx5nYMP23jRZ855lo20laazvoducWqWYDOqGtK4+yzsQmN8OvUkedSzT++KJHUf68LV2ubdmOZ9o6ktLGFsVoj8XGZYlrYHj4mQuuWcBMYgPItiE5kMOPuUWT/8CDS8HkjD0twc7m8/HkQ+PzHfcNSdRHBldH/tXPu3RcOchUjT/LrH6j5A1vdz4aWF7IizKIhtDtu4/dedR1S3DiSj3KG0p2tPxVVEzJX0D1KSyGASxgeP1Sxux0+omZI8U8V2r6cupNaFxg/7iPkA3OFPcbVvOzYL/GLPUcaysFpOdI/cg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEdjCCA16gAwIBAgIILBjgSyHeH78wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE2MTIxNDExWhcNMTQxMDE0MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKMwph
144V2I3T0MfpUCYOgRASpo9gOTP/jVfkart6L2Y5OkJRWLPf2kjFHu9lneFMUkYU
SF/FM62prDo256Hw19/ec8GqfeeWgdn/I7F1GWeAWH96hah0hx0mKApoUN+S3jCD
8ZUEq3CG5WosyFaior0ms/M6lxVg+qFpZMr40jiM8wmBmNdUPaRpFa00EXKSvEN4
wkOcy3/chrZhvYvaPynbqESWslyIWjBbS1fo8HmE4tccf3hw3BzO75pmkjMJy/nG
G5NfB0sV8TvwKClF7UYj16gKMFOmGzYrKsMJJZdACbPcEHZJsvs49SGTLLTQECk6
MGWpB8mco2gxMHOXAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSG63QhKSoMLrf/MwcMKcIpgpLsezAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCHHplYC1ORmY7GI7NuJrV23e0Tc8NZ
zIHwBr/MKHeu07h8tXw6empmo8Jpl72xCAlMdiaJ6gnx3T8euJdj387P60uIvYba
nSJt8hxwlOKxHWbK5WoIjlSERfD0Q8rJ7Sv77wsKv7HKxJgsjn1Eg8VeO0ruhmgO
6PT8pdRYazvxl82Mzs3rqXZKCslIa1OBt/nKaBDJ8Rl+J+LZ0idFXCj/oRUhSoaw
W0+zmPBMCJJkSom61LumjGXgU/TMLBCWI2NZp7JhUOoOkeb/lOMcZJIYQ7+zCtJH
P3gUMNJhX3uyZH1FzyAg9rpenMGSYMUPB2MXmKQi5b2Zu4qHiLjsJ0MK</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">
Tester</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2014-05-13T04:41:27.117Z" NotOnOrAfter="2014-05-13T04:46:27.117Z"/>
<saml2:AuthnStatement AuthnInstant="2014-05-13T04:41:27.113Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
<wsse:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" wsu:Id="STRSAMLId-81591DAC97D1A4EF26139995608718320">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
_81591DAC97D1A4EF26139995608705916</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-81591DAC97D1A4EF26139995608718622">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="SOAP-ENV"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-81591DAC97D1A4EF26139995608718421">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
JLjybHqBnly5B2u2yhvTCTnn3os=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#STRSAMLId-81591DAC97D1A4EF26139995608718320">
<ds:Transforms>
<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
g3PCuPeWIcXW9HFYYuLJp2lrVwM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
gGZU5Fwzd86oNABwaX0kzlWU0XVR4HUAp/F04WwxgVI7TThTK/e4OdvyvFJ2tt3kaItoWXhS+YgVnv+4MqmeqAZU+dYvJVuDD+mXjlhokKjHr8RKjLKaKIMIJOcApQrrKqbX0BrT1VySdnARLm3z+z4R0EWU+FNUSFg3nFKA2w63NARAZzeVs4dmFNJH8JtIvh4qHOytpEzJVnBG0bcnVD5BMeLZFZVFP3PCFwLEyb01QMe84GR60HocVPszHbQYnahYVtVABtOkFZjWj8+6C3pM+jaSa0QgB8Kvlwnkr/I8qU1q4HP2gvFkAMl9PZqfsO2zYn6OX6Gihcm4KJ/K3g==</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-81591DAC97D1A4EF26139995608718317">
<wsse:SecurityTokenReference wsu:Id="STRId-81591DAC97D1A4EF26139995608718318">
<wsse:Reference URI="#CertId-81591DAC97D1A4EF26139995608718319" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<WSHeader xmlns="http://www.example.com/WSHeader.xsd">
<UsernameToken>
<Username>
Tester</Username>
<Nonce>
ODE1OTFEQUM5N0QxQTRFRjI2MTM5OTk1NjA4NTUyOTE1</Nonce>
<Created>
2014-05-13T04:41:25.529Z</Created>
</UsernameToken>
</WSHeader>
<ns1:attachmentHash xmlns:ns1="http://www.example.com/schemas/attachmenthash" SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next" SOAP-ENV:mustUnderstand="0">
<ns1:hashValue>
7WxA7WJauYkMVd7KzK369YFQKS8=</ns1:hashValue>
</ns1:attachmentHash>
<ns1:standardAttachment xmlns:ns1="http://www.example.com/Attachment.xsd">
<Attachment>
<id>
1</id>
<compressFlag>
yes</compressFlag>
<compressMethod>
gzip</compressMethod>
</Attachment>
</ns1:standardAttachment>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-81591DAC97D1A4EF26139995608718421">
<submitTest xmlns="http://www.example.com/Test">
<AttachmentInfo xmlns="http://www.example.com/Attachment.xsd">
<attachmentData>
<Include xmlns="http://www.w3.org/2004/08/xop/include" href="cid:2b380066-5b7e-4d5c-949d-f11d41d1cd1b"/>
</attachmentData>
</AttachmentInfo>
</submitTest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
, , Java Metro WS-Security Apache WSS4J. , , . Java , WS-Security SAML. : " Metro STR-Transform SAML ( SecurityTokenReference STR-Transform)". , .