CODEWITHSUNDEEP
samlsharepoint-clientobject
Nicros
Nicros

Reputation: 5183

SAML Token format?

I have some working code that I have been using on a test O365 site- it works perfectly. I can authenticate, and pull data using the sharepoint client object model.

On another site, that was migrated from BPOS, claims based auth fails. Specifically, in the SAML token for the working site the structure is like this:

<wst:RequestedSecurityToken>
    <wsse:BinarySecurityToken Id="Compact0">bunch of token stuff here</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>

On the site that does NOT work, this section looks like this:

<wst:RequestedSecurityToken>
    <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey>
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
          <ds:KeyInfo>
            <ds:X509Data>
              <ds:X509SKI>stuff in here</ds:X509SKI>
            </ds:X509Data>
            <ds:KeyName>microsoftonline.com</ds:KeyName>
          </ds:KeyInfo>
          <CipherData>
            <CipherValue>lots of stuff in here</CipherValue>
          </CipherData>
        </EncryptedKey>
      </ds:KeyInfo>
      <CipherData>
        <CipherValue>Loads more stuff in here</CipherValue>
      </CipherData>
    </EncryptedData>
</wst:RequestedSecurityToken>

This is really different! The surrounding areas look pretty much the same as far as I can tell.

What is this telling me? That authentication has failed? The claims auth code I am using is dependent on the 'BinarySecurityToken', so this is why it fails- its not there.

Is there some sharepoint setting I need to tweak? Contact MS support? Anyone?

Upvotes: 2

Views: 929

Answers (1)

codebrane
codebrane

Reputation: 4620

It's an encrypted response using a KEK (Key Encryption Key). You'll need the public key of the sender to decrypt the EncryptedKey. That lets you use that key to decrypt the CipherData which is what you're after I would think.

Upvotes: 1

Related Questions