Reputation: 276
Cannot find a token authenticator for the 'Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken' token
I am trying to use WS2007HttpRelayBinding with end to end security mode set to TransportWithMessageCredential. I am using IssuedToken as the credential type. I get the token from a ADFS 2.0 one calling the service I get the following in the on premises wcf trace log
Cannot find a token authenticator for the 'Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
update:
This is how I am configuring the service host
ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
serviceConfiguration.ServiceCertificate = GetServiceCertificateWithPrivateKey();
serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry("localhost");
serviceConfiguration.SaveBootstrapTokens = true;
serviceConfiguration.SecurityTokenHandlers.AddOrReplace(new Saml2SecurityTokenHandler());
serviceConfiguration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://mynamespace.servicebus.windows.net/Service1/"));
FederatedServiceCredentials.ConfigureServiceHost(host, serviceConfiguration);
host.Open();
Upvotes: 1
Views: 1861
Answers (3)
Reputation: 24895
Alexey's answer is perfect for web.config/app.config modifications. Besides that you can also configure the token handler in code (sample from the How to: Authenticate with a Username and Password to a WCF Service Protected by ACS article (learn.microsoft.com) - How to: Authenticate with a User Name and Password):
//
// This must be called after all WCF settings are set on the service host so the
// Windows Identity Foundation token handlers can pick up the relevant settings.
//
ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
// Accept ACS signing certificate as Issuer.
serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry( GetAcsSigningCertificate().SubjectName.Name );
// Add the SAML 2.0 token handler.
serviceConfiguration.SecurityTokenHandlers.AddOrReplace( new Saml2SecurityTokenHandler() );
Upvotes: 1
Reputation: 276
The binding security elements is set to look for SAML 1.1 tokens. I added the following code to the server after constructing the ‘CustomBinding’ element
IssuedSecurityTokenParameters issuedTokenParameters =
myBinding.Elements.Find<TransportSecurityBindingElement>().EndpointSupportingTokenParameters.Endorsing[0] as IssuedSecurityTokenParameters;
issuedTokenParameters.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
Upvotes: 1
Reputation: 3236
Can you verify if Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler is added in
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler" />
</securityTokenHandlers>
Edit: And also be sure to verify certificates configuration.
Edit: Maybe this will also help MSDN WCF forums
Upvotes: 3
Related Questions
- Authentication when using Security Token Service
- Cannot find a token authenticator for the 'System.IdentityModel.Tokens.UserNameSecurityToken' token type.
- WCF - Cannot find a token authenticator for X509SecurityToken
- MessageSecurityException: The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'
- Including SAML2.0 token in WCF service call without using WIF
- WIF (Windows Identity Foundation) with SAML 2.0
- WIF 4.5 BootstrapContext security token null
- WIF STS ID3242: The security token could not be authenticated or authorized
- WCF: The request for security token could not be satisfied because authentication failed
- The request for security token could not be satisfied because authentication failed