ADFS fails when user and login name differ

for Adium, Pidgin, Miranda and Telepathy IM Framework

Brought to you by: aavelar, stefanb2

#263 ADFS fails when user and login name differ

Milestone: OBSOLETE_(1.18.x)

Status: closed-fixed

Owner: Stefan Becker

Labels: None

Category: Pidgin

Priority: 5

Updated: 2016-04-23

Created: 2014-09-02

Creator: Jay Thorne

Private: No

I'm trying to use Pidgin and SIPE to our new Office 365 setup. As usual, this is a federated identity. I'm on Windows, and a co-worker has the same issue and has Linux. The error we're getting is around what looks like incorrect WS-Trust request, as the error claims we've got the wrong addressee. The windows version doesn't dump request/response pairs but linux does.

From the look of this error message, it looks like the WS-T request has the wrong addressee in the STR.

Request:
~~~~~

<soap:envelope xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:auth="http://schemas.xmlsoap.org/ws/2006/12/authorization" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:header>
<wsa:to>https://webpoolbn11a03.infra.lync.com/WebTicket/WebTicketService.svc/WsFed_bearer</wsa:to>
<wsa:replyto>
<wsa:address>http://www.w3.org/2005/08/addressing/anonymous</wsa:address>
</wsa:replyto>
<wsa:action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:action>
<wsse:security>
<wsu:timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:id="timestamp">
<wsu:created>2014-09-02T18:09:22Z</wsu:created>
<wsu:expires>2014-09-03T02:09:22Z</wsu:expires>
</wsu:timestamp>
<encrypteddata xmlns="http://www.w3.org/2001/04/xmlenc#" id="user-content-Assertion0" type="http://www.w3.org/2001/04/xmlenc#Element">
<encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc">
<ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<encryptedkey>
<encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:keyinfo id="user-content-keyinfo">
<wsse:securitytokenreference>
<wsse:keyidentifier encodingtype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" valuetype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">809sMlvEd9zWwJiK+zAFLtVgvpg=</wsse:keyidentifier>
</wsse:securitytokenreference>
</ds:keyinfo>
<cipherdata>
<ciphervalue>....rL0jlN/6PdozXD8oeOdliA==</ciphervalue>
</cipherdata>
</encryptionmethod></encryptedkey>
</ds:keyinfo>
<cipherdata>
<ciphervalue>.....etc</ciphervalue>
</cipherdata>
</encryptionmethod></encrypteddata>
</wsse:security>
</soap:header>
<soap:body>
<wst:requestsecuritytoken context="205ce388-00b4-521b-afcf-753f0ab02788">
<wst:tokentype>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:tokentype>
<wst:requesttype>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:requesttype>
<wsp:appliesto>
<wsa:endpointreference>
<wsa:address>https://webpoolbn11a03.infra.lync.com/CertProv/CertProvisioningService.svc/WebTicket_Proof_SHA1</wsa:address>
</wsa:endpointreference>
</wsp:appliesto>
<wst:claims dialect="urn:component:Microsoft.Rtc.WebAuthentication.2010:authclaims">
<auth:claimtype uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri" optional="false">
<auth:value>sip:thoja20@ca.com</auth:value>
</auth:claimtype>
</wst:claims>
<wst:entropy>
<wst:binarysecret>.....=</wst:binarysecret>
</wst:entropy>
<wst:keytype>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:keytype>
</wst:requestsecuritytoken>
</soap:body>
</soap:envelope>

Response:

<s:envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:header>
<a:action s:mustunderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:action>
</s:header>
<s:body>
<s:fault>
<faultcode xmlns:a="http://docs.oasis-open.org/ws-sx/ws-trust/200512">a:RequestFailed</faultcode>
<faultstring xml:lang="en-US">The SIP URI in the claim type requirements of the web ticket request does not match the SIP URI associated with the presented credentials.</faultstring>
<detail>
<ocsdiagnosticsfault xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<ms-diagnostics-fault>
<errorid>28035</errorid>
<reason>The SIP URI in the claim type requirements of the web ticket request does not match the SIP URI associated with the presented credentials.</reason>
</ms-diagnostics-fault>
<namevaluepairs xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
</namevaluepairs></ocsdiagnosticsfault>
</detail>
</s:fault>
</s:body>
</s:envelope>
~~~~

1 Attachments

lync debug.log

Bugs: ~~#264~~
Release Notes: 2014/10/pidgin-sipe-release-1184

Discussion

<< < 1 2 (Page 2 of 2)

Stefan Becker - 2014-09-05

This should be fixed by git commit 32ff1c0

CLOSING

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

<< < 1 2 (Page 2 of 2)

ADFS fails when user and login name differ

for Adium, Pidgin, Miranda and Telepathy IM Framework

Group

Searches

Help

#263 ADFS fails when user and login name differ

Related

Discussion