Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all articles
Browse latest Browse all 2535

Generate SignatureValue for CRM 2011 Organization.svc request with ADFS

April 30, 2013, 4:50 pm
$
0
0

I am trying to understand how to calculate the SignatureValue of the 'correct' XML below (this is not my xml, it's from a previous post, but I have the same exact issue). Any guidance would be appreciated. For the record, this is for CRM 2011 using ADFS. As I do not have access to the nice .NET classes from the environment I will be working in (mobile) I am trying to figure out the logic to generate the value, with little success getting a matching hash.

I can successfully calculate the matching DigestValue in the XML (straight SHA1 hash of the canonical _0 reference). I /think/ the missing link for me is how to apply the HMAC-SHA1 hash to the SignedInfo node, and what key should be used. Since the keyInfo contains the SAML token id, I'm not sure what that means as far as what key to use with the hash. I'm sure I am missing something ...

Thanks in advance for any pointers!

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.microsoft.com/xrm/2011/Contracts/Discovery/IDiscoveryService/Execute</a:Action>
    <a:MessageID>urn:uuid:7b96791d-9c6e-4980-8444-1f51bdc00023</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">https://organization.domain.it/XRMServices/2011/Discovery.svc</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="_0">
        <u:Created>2011-09-09T14:30:50.724Z</u:Created>
        <u:Expires>2011-09-09T14:35:50.724Z</u:Expires>
      </u:Timestamp>
      <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            </e:EncryptionMethod>
            <KeyInfo>
              <o:SecurityTokenReference>
                <X509Data>
                  <X509IssuerSerial>
                    <X509IssuerName>CN=Org Enterprise Root CA, DC=organization, DC=local</X509IssuerName>
                    <X509SerialNumber>25XXXXXXXXXXXXXX40863677</X509SerialNumber>
                  </X509IssuerSerial>
                </X509Data>
              </o:SecurityTokenReference>
            </KeyInfo>
            <e:CipherData>
              <e:CipherValue>CVjfOFx/.......hS6GpZRB1U9hz7HPQ6c6TYjs=</e:CipherValue>
            </e:CipherData>
          </e:EncryptedKey>
        </KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>LGefKxg.........6wC9l79o=</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
          <Reference URI="#_0">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>Y2zNKG9CsoAMKZgHiP1s7L9TZV4=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>1gSJwVWNfqU34VzSk3Z0+Ams1Gw=</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
            <o:KeyIdentifier ValueType="_d639d615-b45e-4c56-814e-86dc43914c2b</o:KeyIdentifier" rel="nofollow">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_d639d615-b45e-4c56-814e-86dc43914c2b</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header>
  <s:Body>
    <Execute xmlns="http://schemas.microsoft.com/xrm/2011/Contracts/Discovery">
      <request i:type="RetrieveOrganizationsRequest" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <AccessType>Default</AccessType>
        <Release>Current</Release>
      </request>
    </Execute>
  </s:Body>
</s:Envelope>

(here is another thread on the same issue from the CRM forums...)

http://social.microsoft.com/Forums/en-US/crmdevelopment/thread/c485d98b-6e0b-49e7-ab34-8ecf8d694d31

Search
Viewing all articles
Browse latest Browse all 2535
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>