active client - get token from resource partner adfs using idp token

Question

I am trying to write console application with the following scenario: client first requests a token from an identity provider, and then uses this token to request a new token from a Resource STS Using the following link: http://leastprivilege.com/2010/10/28/wif-adfs-2-and-wcfpart-6-chaining-multiple-token-services/

I managed get the token from Idp but didn't managed getting the token from Resource STS.

This is my code:

    string RPRealm = "https://service.contoso.com/";
    string RSTSRealm = "http://fsweb.contoso.com/adfs/services/trust";
    string IdPstsEndpoint = "https://IdpAdfs.domain.com/adfs/services/trust/13/kerberosmixed";
    string RSTSEndpoint = "https://fsweb.contoso.com/adfs/services/trust/13/IssuedTokenMixedSymmetricBasic256";

    private static SecurityToken GetIdPToken(string rstsRealm, string IdPstsEndpoint)
    {
        using (var factory = new WSTrustChannelFactory(
                new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                new EndpointAddress(new Uri(IdPstsEndpoint))))
        {
            WSTrustChannel channel = null;
            factory.TrustVersion = TrustVersion.WSTrust13;
            try
            {
                var rst = new RequestSecurityToken
                {
                    RequestType = WSTrust13Constants.RequestTypes.Issue,
                    AppliesTo = new EndpointAddress(rstsRealm),
                    KeyType = WSTrust13Constants.KeyTypes.Bearer,
                };

                channel = (WSTrustChannel)factory.CreateChannel();
                RequestSecurityTokenResponse rstr;
                SecurityToken token = channel.Issue(rst, out rstr);
                return token;
            }
            finally
            {
                if (channel != null)
                {
                    channel.Abort();
                }

                factory.Abort();
            }
        }
    }


private static SecurityToken GetRSTSToken(SecurityToken IdPToken, string RSTSEndpoint, string RPRealm)
{
   var binding = new WS2007FederationHttpBinding();
   binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
   binding.Security.Message.EstablishSecurityContext = false;
   binding.Security.Mode = WSFederationHttpSecurityMode.TransportWithMessageCredential;

    using (var factory = new WSTrustChannelFactory(
           binding,
            new EndpointAddress(new Uri(RSTSEndpoint))))
    {
        var rst = new RequestSecurityToken
        {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointAddress(RPRealm),
            KeyType = WSTrust13Constants.KeyTypes.Bearer,
        };
        factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        factory.TrustVersion = TrustVersion.WSTrust13;
        factory.Credentials.SupportInteractive = false;
        factory.ConfigureChannelFactory();


        var channel = factory.CreateChannelWithIssuedToken(IdPToken);
        RequestSecurityTokenResponse rstr;
        SecurityToken token = channel.Issue(rst, out rstr);
        return token;
    }
}

I get this error: The content type text/html of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8) what is worng with my code? Thanks in advance

Answer 1

ADFS does not support bearer tokens on its federation endoints. In other words, on your first hop you need to specify a KeyTypes.Symmetric on the RST.