The case of the missing ‘Dialect’ (part 3)

This is the third in a series of posts [first, second] where I describe some issues regarding the definition and usage of claim requirements on the WCF platform.

In the last post, I introduced the BizTalk Identity Services as an example of an publicly available STS. In this post I will describe some aspects of the metadata (WSDL based description) exposed by this STS.

Recall that this metadata can be retrieved at: http://identity.biztalk.net/sts/<username>/sts.wsdl

where <username> is the registered used name.

Beginning at the end (<wsdl:service> element), the service exposes 5 endpoints (<wsdl:port> elements) with the following names:

  • ‘UserNameForCertificate’
  • ‘SelfSignedSamlForCertificate’
  • ‘TgtSamlForCertificate’
  • ‘AnySamlForCertificate’
  • ‘MutualCertificateForCertificate’
   1: <wsdl:service name="SecurityTokenService">
   2:     <wsdl:port name="UserNameForCertificate" binding="tns:UserNameForCertificate">
   3:       <soap12:address location="http://identity.biztalk.net/sts/<username>/username_for_certificate"/>
   4:       <wsa10:EndpointReference>
   5:         <wsa10:Address>http://identity.biztalk.net/sts/<username>/username_for_certificate</wsa10:Address>
   6:         <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
   7:           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   8:             <X509Data>
   9:               <X509Certificate>MIIF8zCCBNugAwIBAgIKZM4k/AAEAAC3fDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMzE5MjE0OTIyWhcNMDkwMzE5MjE0OTIyWjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MQwwCgYDVQQLEwNDU0QxHTAbBgNVBAMTFGlkZW50aXR5LmJpenRhbGsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2sBd85R4pvlVHWceT1U70TWindhX0z8Xu+39M3Jh2VKFJYqZogHTctawef5puCa+bYK5+Z5WfkEa3pIYs4iIMRy9Ux7VBDZZKcQZx0ktgTVrFy2Kk8KAKY9eh2+PTuT+Rsey75AP/Seu7J6zJ4yq4OEX/rzwGNSoZ60qrfrtzQwIDAQABo4IC8DCCAuwwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFN+wrVr5Nh4gRNBohkMlm0x57ayPMB8GA1UdIwQYMBaAFJmPpfcegW/6ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQC6SRCnd8ZFdVOzCyD+aDvfttL8Lig+HvdKzqzoj6wGbRhnTWfvGM11FCqtdVybWYLta5aplN9aBYntp8nVyNZJqfrBkM0EISBmTj1u0ukdhslubK5V/T7gahn6+SZTbKBpwAkrJKppVUIw7tKhPq1oicJqt3nhNxgxmdjKuS19JPdKJph06qya/LqBfwxJZYhqanKuA+D/eBIgcm2HYCWefJgtUJhkNZuo0YoIiFvZt6z385RrpJPR+rsw2mgqz/P78BEgNsdnGdKa861dB0CWhMFCTGR/r4rcZSojrbaZNnvNLm/VBtwG72ngn/Clv8lpXsmprX13Ut31qqDMmZCM</X509Certificate>
  10:             </X509Data>
  11:           </KeyInfo>
  12:         </Identity>
  13:       </wsa10:EndpointReference>
  14:     </wsdl:port>
  15:     <wsdl:port name="SelfSignedSamlForCertificate" binding="tns:SelfSignedSamlForCertificate">
  16:       <soap12:address location="http://identity.biztalk.net/sts/<username>/issued_for_certificate"/>
  17:       <wsa10:EndpointReference>
  18:         <wsa10:Address>http://identity.biztalk.net/sts/<username>/issued_for_certificate</wsa10:Address>
  19:         <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
  20:           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  21:             <X509Data>
  22:               <X509Certificate>MIIF8zCCBNugAwIBAgIKZM4k/AAEAAC3fDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMzE5MjE0OTIyWhcNMDkwMzE5MjE0OTIyWjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MQwwCgYDVQQLEwNDU0QxHTAbBgNVBAMTFGlkZW50aXR5LmJpenRhbGsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2sBd85R4pvlVHWceT1U70TWindhX0z8Xu+39M3Jh2VKFJYqZogHTctawef5puCa+bYK5+Z5WfkEa3pIYs4iIMRy9Ux7VBDZZKcQZx0ktgTVrFy2Kk8KAKY9eh2+PTuT+Rsey75AP/Seu7J6zJ4yq4OEX/rzwGNSoZ60qrfrtzQwIDAQABo4IC8DCCAuwwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFN+wrVr5Nh4gRNBohkMlm0x57ayPMB8GA1UdIwQYMBaAFJmPpfcegW/6ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQC6SRCnd8ZFdVOzCyD+aDvfttL8Lig+HvdKzqzoj6wGbRhnTWfvGM11FCqtdVybWYLta5aplN9aBYntp8nVyNZJqfrBkM0EISBmTj1u0ukdhslubK5V/T7gahn6+SZTbKBpwAkrJKppVUIw7tKhPq1oicJqt3nhNxgxmdjKuS19JPdKJph06qya/LqBfwxJZYhqanKuA+D/eBIgcm2HYCWefJgtUJhkNZuo0YoIiFvZt6z385RrpJPR+rsw2mgqz/P78BEgNsdnGdKa861dB0CWhMFCTGR/r4rcZSojrbaZNnvNLm/VBtwG72ngn/Clv8lpXsmprX13Ut31qqDMmZCM</X509Certificate>
  23:             </X509Data>
  24:           </KeyInfo>
  25:         </Identity>
  26:       </wsa10:EndpointReference>
  27:     </wsdl:port>
  28:     <wsdl:port name="TgtSamlForCertificate" binding="tns:TgtSamlForCertificate">
  29:       <soap12:address location="http://identity.biztalk.net/sts/<username>/tgt_for_certificate"/>
  30:       <wsa10:EndpointReference>
  31:         <wsa10:Address>http://identity.biztalk.net/sts/<username>/tgt_for_certificate</wsa10:Address>
  32:         <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
  33:           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  34:             <X509Data>
  35:               <X509Certificate>MIIF8zCCBNugAwIBAgIKZM4k/AAEAAC3fDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMzE5MjE0OTIyWhcNMDkwMzE5MjE0OTIyWjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MQwwCgYDVQQLEwNDU0QxHTAbBgNVBAMTFGlkZW50aXR5LmJpenRhbGsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2sBd85R4pvlVHWceT1U70TWindhX0z8Xu+39M3Jh2VKFJYqZogHTctawef5puCa+bYK5+Z5WfkEa3pIYs4iIMRy9Ux7VBDZZKcQZx0ktgTVrFy2Kk8KAKY9eh2+PTuT+Rsey75AP/Seu7J6zJ4yq4OEX/rzwGNSoZ60qrfrtzQwIDAQABo4IC8DCCAuwwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFN+wrVr5Nh4gRNBohkMlm0x57ayPMB8GA1UdIwQYMBaAFJmPpfcegW/6ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQC6SRCnd8ZFdVOzCyD+aDvfttL8Lig+HvdKzqzoj6wGbRhnTWfvGM11FCqtdVybWYLta5aplN9aBYntp8nVyNZJqfrBkM0EISBmTj1u0ukdhslubK5V/T7gahn6+SZTbKBpwAkrJKppVUIw7tKhPq1oicJqt3nhNxgxmdjKuS19JPdKJph06qya/LqBfwxJZYhqanKuA+D/eBIgcm2HYCWefJgtUJhkNZuo0YoIiFvZt6z385RrpJPR+rsw2mgqz/P78BEgNsdnGdKa861dB0CWhMFCTGR/r4rcZSojrbaZNnvNLm/VBtwG72ngn/Clv8lpXsmprX13Ut31qqDMmZCM</X509Certificate>
  36:             </X509Data>
  37:           </KeyInfo>
  38:         </Identity>
  39:       </wsa10:EndpointReference>
  40:     </wsdl:port>
  41:     <wsdl:port name="AnySamlForCertificate" binding="tns:AnySamlForCertificate">
  42:       <soap12:address location="http://identity.biztalk.net/sts/<username>/saml_for_certificate"/>
  43:       <wsa10:EndpointReference>
  44:         <wsa10:Address>http://identity.biztalk.net/sts/<username>/saml_for_certificate</wsa10:Address>
  45:         <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
  46:           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  47:             <X509Data>
  48:               <X509Certificate>MIIF8zCCBNugAwIBAgIKZM4k/AAEAAC3fDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMzE5MjE0OTIyWhcNMDkwMzE5MjE0OTIyWjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MQwwCgYDVQQLEwNDU0QxHTAbBgNVBAMTFGlkZW50aXR5LmJpenRhbGsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2sBd85R4pvlVHWceT1U70TWindhX0z8Xu+39M3Jh2VKFJYqZogHTctawef5puCa+bYK5+Z5WfkEa3pIYs4iIMRy9Ux7VBDZZKcQZx0ktgTVrFy2Kk8KAKY9eh2+PTuT+Rsey75AP/Seu7J6zJ4yq4OEX/rzwGNSoZ60qrfrtzQwIDAQABo4IC8DCCAuwwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFN+wrVr5Nh4gRNBohkMlm0x57ayPMB8GA1UdIwQYMBaAFJmPpfcegW/6ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQC6SRCnd8ZFdVOzCyD+aDvfttL8Lig+HvdKzqzoj6wGbRhnTWfvGM11FCqtdVybWYLta5aplN9aBYntp8nVyNZJqfrBkM0EISBmTj1u0ukdhslubK5V/T7gahn6+SZTbKBpwAkrJKppVUIw7tKhPq1oicJqt3nhNxgxmdjKuS19JPdKJph06qya/LqBfwxJZYhqanKuA+D/eBIgcm2HYCWefJgtUJhkNZuo0YoIiFvZt6z385RrpJPR+rsw2mgqz/P78BEgNsdnGdKa861dB0CWhMFCTGR/r4rcZSojrbaZNnvNLm/VBtwG72ngn/Clv8lpXsmprX13Ut31qqDMmZCM</X509Certificate>
  49:             </X509Data>
  50:           </KeyInfo>
  51:         </Identity>
  52:       </wsa10:EndpointReference>
  53:     </wsdl:port>
  54:     <wsdl:port name="MutualCertificateForCertificate" binding="i1:MutualCertificateForCertificate">
  55:       <soap12:address location="http://identity.biztalk.net/sts/<username>/certificate"/>
  56:       <wsa10:EndpointReference>
  57:         <wsa10:Address>http://identity.biztalk.net/sts/<username>/certificate</wsa10:Address>
  58:         <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
  59:           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  60:             <X509Data>
  61:               <X509Certificate>MIIF8zCCBNugAwIBAgIKZM4k/AAEAAC3fDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDgwMzE5MjE0OTIyWhcNMDkwMzE5MjE0OTIyWjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MQwwCgYDVQQLEwNDU0QxHTAbBgNVBAMTFGlkZW50aXR5LmJpenRhbGsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2sBd85R4pvlVHWceT1U70TWindhX0z8Xu+39M3Jh2VKFJYqZogHTctawef5puCa+bYK5+Z5WfkEa3pIYs4iIMRy9Ux7VBDZZKcQZx0ktgTVrFy2Kk8KAKY9eh2+PTuT+Rsey75AP/Seu7J6zJ4yq4OEX/rzwGNSoZ60qrfrtzQwIDAQABo4IC8DCCAuwwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFN+wrVr5Nh4gRNBohkMlm0x57ayPMB8GA1UdIwQYMBaAFJmPpfcegW/6ecLwFj+yVLEIaEdVMIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDQpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg0KS5jcnQwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBBTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQC6SRCnd8ZFdVOzCyD+aDvfttL8Lig+HvdKzqzoj6wGbRhnTWfvGM11FCqtdVybWYLta5aplN9aBYntp8nVyNZJqfrBkM0EISBmTj1u0ukdhslubK5V/T7gahn6+SZTbKBpwAkrJKppVUIw7tKhPq1oicJqt3nhNxgxmdjKuS19JPdKJph06qya/LqBfwxJZYhqanKuA+D/eBIgcm2HYCWefJgtUJhkNZuo0YoIiFvZt6z385RrpJPR+rsw2mgqz/P78BEgNsdnGdKa861dB0CWhMFCTGR/r4rcZSojrbaZNnvNLm/VBtwG72ngn/Clv8lpXsmprX13Ut31qqDMmZCM</X509Certificate>
  62:             </X509Data>
  63:           </KeyInfo>
  64:         </Identity>
  65:       </wsa10:EndpointReference>
  66:     </wsdl:port>
  67:   </wsdl:service>

All of these endpoints expose the same Security Token Service contract, defined by the WS-Trust (Feb. 2005 version) spec.

   1: <wsdl:portType name="SecurityTokenService">
   2:     <wsdl:operation name="RequestSecurityToken">
   3:       <wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" name="RequestSecurityTokenMsg" message="tns:RequestSecurityTokenMsg"/>
   4:       <wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" name="RequestSecurityTokenResponseMsg" message="tns:RequestSecurityTokenResponseMsg"/>
   5:     </wsdl:operation>
   6: </wsdl:portType>

The principal difference between these endpoints is their policy, referenced by the <wsdl:binding> elements associated to each endpoint. Namely, each policy requires a different token type and claims types in the token request message. This difference is visible in the <sp:SignedSupportingTokens> element.

For instance, the policy of the ‘UserNameForCertificate‘ endpoint requires an UsernameToken.

   1: <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
   2:    <wsp:Policy>
   3:       <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   4:          <wsp:Policy>
   5:            <sp:WssUsernameToken10/>
   6:          </wsp:Policy>
   7:       </sp:UsernameToken>
   8:    </wsp:Policy>
   9: </sp:SignedSupportingTokens>

The ‘SelfSignedSamlForCertificate‘ endpoint’s policy requires a SAML v1.1 token with the Private Personal Identifier claim.

   1: <sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
   2:    <sp:RequestSecurityTokenTemplate>
   3:       <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
   4:       <t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
   5:       <t:Claims xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
   6:          <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
   7:       </t:Claims>
   8:    </sp:RequestSecurityTokenTemplate>
   9: </sp:IssuedToken>

 

The ‘…ForCertificate’ suffix, present in all endpoint’s names, means that the messages are protected using a X.509 certificate based scheme. This requirement is expressed by the <sp:ProtectionToken> assertion, present in all policies.

   1: <sp:ProtectionToken>
   2:    <wsp:Policy>
   3:       <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
   4:          <wsp:Policy>
   5:             <sp:RequireDerivedKeys/>
   6:             <sp:RequireThumbprintReference/>
   7:             <sp:WssX509V3Token10/>
   8:          </wsp:Policy>
   9:       </sp:X509Token>
  10:    </wsp:Policy>
  11: </sp:ProtectionToken>

So, the existence of multiple endpoints for the same contract, each with a different policy, allows for different token and claim types to be used with the same STS.

Notice that this metadata describes the STS requirements (required token and claims types) but not its capabilities (issued token and claims types). This type of capabilities are not addressed by the WS-SecurityPolicy language. Instead, they belong to the federation metadata model defined in the (still not very used) WS-Federation spec. However, to the best of my knowledge, the BizTalk Identity Services don’t expose this type of metadata, so these capabilities must be acquired out-of-band.

 

In the next post, I will show how to create a WCF service that relies on this STS for the authorization decisions. I will also show how to build a client that uses this service.

Advertisements

One thought on “The case of the missing ‘Dialect’ (part 3)

  1. Pingback: The case of the missing ‘Dialect’ (Part 4) « Pedro Félix’s shared memory

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s