About the Author: ProofID

ProofID

Share

TOPICS

Categories: Blog, IAM, Developers

There is in fact an easy way to simulate Office 365 because it uses WS-Trust for active profile clients like Outlook using Exchange Online. We use cURL, which is a free client-side UTL transfer library that supports HTTPS for a WS-Trust SOAP service requests. See the cURL website for more details on the command line capability and how you can download and install.

We create a text file named UAT to represent the username token request sent from Office 365 to a federation server (e.g. PingFederate). For simplicity, the text file contains a cleartext username and password (lines 16 and 17), which should be modified as necessary. It is also worth paying attention to time tags in the message body (lines 20 and 21).

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="https://www.w3.org/2003/05/soap-envelope" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsa="https://www.w3.org/2005/08/addressing" xmlns:wsp="https://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssc="https://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsse="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="https://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <wsa:Action s:mustUnderstand="1">https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
    <wsa:To s:mustUnderstand="1">https://sts.qa.glic.com/idp/sts.wst</wsa:To>
    <wsa:MessageID>1215501832</wsa:MessageID>
    <ps:AuthInfo xmlns:ps="https://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
      <ps:HostingApp>Lync Mobile</ps:HostingApp>
      <ps:BinaryVersion>6</ps:BinaryVersion>
      <ps:UIVersion>1</ps:UIVersion>
      <ps:Cookies />
      <ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>
    </ps:AuthInfo>
    <wsse:Security>
      <wsse:UsernameToken wsu:Id="user">
        <wsse:Username>username</wsse:Username>
        <wsse:Password>password</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp Id="Timestamp">
        <wsu:Created>2015-06-26T03:12:01Z</wsu:Created>
        <wsu:Expires>2015-06-26T03:17:01Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityToken Id="RST0">
      <wst:RequestType>https://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wsp:AppliesTo>
        <wsa:EndpointReference>
          <wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
        </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wst:KeyType>https://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
    </wst:RequestSecurityToken>
  </s:Body>
</s:Envelope>

Now that we have a test username token ready, we can leverage the cURL command to transmit the WS-Trust SOAP request to your federation server. In this example, we will assume the federation server is PingFederate since the endpoint defined is the WS-Trust endpoint for a Secure Token Service (STS).  The UAT text file represents the WS-Trust Request Security Token (RST) that is transmitted to the PingFederate STS endpoint.

curl -k --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:urn:my:service-interaction:soap:some-action" --data @UAT https://ssoserver.company.com:9031/idp/sts.wst

A successful transaction with the PingFederate STS will result in the WS-Trust Request Security Token Response (RSTR) being received. The RSTR message will contain a SAMLv1.1 assertion with the identity of the authenticated subject.  The response should look similar to the following example.  Some notable things to observ