.net NET客户端无法使用绑定到使用STR-TRANSFORM算法通过引用签名的SAML 2.0标识断言的SOAP消息

使用工作示例更新帖子。请参阅下面的工作示例。

问题-.NET客户端无法使用绑定到使用STR-TRANSFORM算法通过引用签名的SAML 2.0标识断言的SOAP消息

Java消息生成器：Spring和WSS4J

.NET客户端使用者：版本4.5.1

SAML:2.0版，发送方提供确认方法；断言本身已签名；断言还使用STR-TRANSFORM算法在消息级别通过引用进行签名

.NET客户端在以下方面失败：

<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">

我认为这个错误意味着程序在消息的元素中遇到了一个未被.NET framework识别的URI。通过在消息中替换不同的转换，我已验证.NET无法识别此转换：

<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">

在这里失败了：

如果（transform==null）{throw new 加密异常（SecurityResources.GetResourceString（“加密\u Xml\u UnknownTransform”）； }

System.Security.Cryptography.CryptoConfig.CreateFromName转到machine.config以确定哪些算法可用于.NET framework

是否应该定义一个自定义类来处理STR转换算法，然后在machine.config中引用该类，类似这样

<mscorlib>
    <cryptographySettings>
      <cryptoNameMapping>
        <cryptoClasses>
          <cryptoClass strtransform="Custom.Class.StrTransformProvider,Custom.Class" />
        </cryptoClasses>
        <nameEntry name="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" class="strtransform" />
      </cryptoNameMapping>
    </cryptographySettings>
</mscorlib>

谨此致辞：

A first chance exception of type 'System.Security.Cryptography.CryptographicException' occurred in System.Security.dll
********* ERROR: System.Security.Cryptography.CryptographicException: Unknown transform has been encountered.
   at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)
   at TestSignatureVerification.Program.ValidateDocument(XmlDocument docToTest) in ... Program.cs:line 59
   at TestSignatureVerification.Program.VerifyXMLSignature(String xmlFileLocation) in ... Program.cs:line 26 *********

请注意，本例中的签名是伪造的。即使您能够克服错误，也无法验证它们。签名的加密验证位于错误的下游，与此问题无关。还要注意，XOP引用的二进制附件不包括在示例有效负载中，并且与之无关

测试消息的wsse:Security标头具有与此问题相关的以下子元素：

• wsse:BinarySecurityToken（SOAP生产者的x509证书）
• saml2：断言（标识事务的创建者；SOAP 制作人使用SAML发送者凭证对此身份进行凭证 确认方法）
• wsse:SecurityTokenReference（参考wsse:BinarySecurityToken和 由ds:Signature引用-请参见下一步）
• ds：签名（对消息体和SAML断言进行签名）

SAML断言在消息级别使用以下算法通过引用进行签名：

为了验证签名，首先必须使用STR转换算法从引用解析SAML断言。我相信这就是.NET代码失败的地方，出现了“遇到未知转换”错误。我的结论基于这样一个事实：如果将消息中的“”替换为“”，您将绕过“遇到未知转换”错误，程序将无法验证签名（正如预期的那样，由于消息中存在虚假签名和虚构身份），因此无法验证签名（签名验证不是示例的重点；处理转换算法是关键）

请注意，saml2:Assertion元素本身有一个ds:Signature元素。提供断言的安全令牌服务对断言进行签名。SOAP生产者将断言作为来自安全令牌服务的消息输入。但是，在将断言包含在消息中之前，SOAP生产者需要验证断言签名向自己证明断言在从安全令牌服务移交时未被修改，并确认其与安全令牌服务的信任关系。在验证SAML断言的完整性和生产者之后，SOAP生产者在消息级别对断言进行签名，向消息提供者证明该断言nsumer。在消息级别，第二个签名不是重复的签名，这不仅是因为签名者不同，还因为安全上下文不同（一个上下文是安全令牌服务；另一个是SOAP生产者）

在本例中，Google是虚构的安全令牌服务。SAML断言中ds:X509Certificate元素的值是www.Google.com digital certificate.Google（虚构的）签名SAML断言，将签名的断言提供给SOAP生产者，后者验证签名。SOAP生产者（在本例中由来自的数字证书标识）虚拟地签名消息体和SAML断言

本例中的XPath查询拾取消息中的所有ds:Signature元素。SAML断言上的签名恰好来自消息中的第二个ds:Signature元素。程序不会在第一个签名验证（SOAP消息级别的签名）的加密失败时中断，因为“if（！status）标记为“中断”。然后程序尝试验证SAML断言上的签名。它失败，出现“遇到未知转换”错误。这发生在尝试验证签名之前；程序在第二个签名时永远不会到达该步骤。SAML断言中所有条件的陈旧性与示例无关

示例C#代码

使用系统；
使用System.Linq；
使用System.Security.Cryptography.X509证书；
使用System.Security.Cryptography.Xml；
使用System.Xml；
使用System.Collections.Generic；
使用系统诊断；
命名空间TestSignatureVerification
{
班级计划
{
静态void Main（字符串[]参数）
{
Console.WriteLine（VerifyXMLSignature（@“C:\Temp\Payload.xml”）.ToString（）；
}
公共静态bool VerifyXMLSignature（字符串xmlFileLocation）
{
尝试
{
XmlDocument docToTest=新的XmlDocument（）；
docToTest.PreserveWhitespace=true；
docToTest.XmlResolver=null；
docToTest.Load（xmlFileLocation）；
<mscorlib>
    <cryptographySettings>
      <cryptoNameMapping>
        <cryptoClasses>
          <cryptoClass strtransform="Custom.Class.StrTransformProvider,Custom.Class" />
        </cryptoClasses>
        <nameEntry name="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" class="strtransform" />
      </cryptoNameMapping>
    </cryptographySettings>
</mscorlib>

signedXml.LoadXml((XmlElement)node);

A first chance exception of type 'System.Security.Cryptography.CryptographicException' occurred in System.Security.dll
********* ERROR: System.Security.Cryptography.CryptographicException: Unknown transform has been encountered.
   at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)
   at TestSignatureVerification.Program.ValidateDocument(XmlDocument docToTest) in ... Program.cs:line 59
   at TestSignatureVerification.Program.VerifyXMLSignature(String xmlFileLocation) in ... Program.cs:line 26 *********

using System;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography.Xml;
using System.Xml;
using System.Collections.Generic;
using System.Diagnostics;

namespace TestSignatureVerification
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine(VerifyXMLSignature(@"C:\Temp\Payload.xml").ToString());
        }

        public static bool VerifyXMLSignature(string xmlFileLocation)
        {
            try
            {
                XmlDocument docToTest = new XmlDocument();
                docToTest.PreserveWhitespace = true;
                docToTest.XmlResolver = null;
                docToTest.Load(xmlFileLocation);
                return ValidateDocument(docToTest); 

            }
            catch (Exception e)
            {
               // Console.WriteLine(e.Message);
                Debug.WriteLine("********* ERROR: " + e.ToString() + " *********");
               // Debug.WriteLine(e.StackTrace);
                return false;
            }
        }

        public static bool ValidateDocument(XmlDocument docToTest)
        {
            bool status = true;

            XmlNamespaceManager manager = new XmlNamespaceManager(docToTest.NameTable);
            manager.AddNamespace("wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");

            XmlNodeList securityList = docToTest.SelectNodes("//wsse:Security", manager);
            X509Certificate2 cert = getCertificate(securityList[0]);

            // http://www.w3.org/2000/09/xmldsig#
            manager.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); 
            XmlNodeList nodeList = docToTest.SelectNodes("//ds:Signature", manager);

            Debug.WriteLine("Count of Signature nodes: " + nodeList.Count);

            SignedXml signedXml = new SignedXml(docToTest);

                foreach (XmlNode node in nodeList)
                {
                Debug.WriteLine("InnerXML: " + node.InnerXml);
                signedXml.LoadXml((XmlElement)node);
//                Debug.WriteLine("Certificate: " + cert);
                status = signedXml.CheckSignature(cert, true);
//                Debug.WriteLine("Node Name: " + node.Name);
                Debug.WriteLine("CheckSignature status: " + status);
//                if (!status)
//                    break;
            }
            return status;
        }


        private static XmlElement retrieveHeader(XmlDocument xmlContent)
        {
            return xmlContent.ChildNodes.OfType<XmlElement>().First(e => e.Name.Contains("Envelope")).ChildNodes.OfType<XmlElement>().First(e=> e.Name.Contains("Header"));

        }

        private static X509Certificate2 getCertificate(XmlNode securityNode)
        {
            XmlElement binarySecurityToken = (
               from element in securityNode.ChildNodes.OfType<XmlElement>()
               where element.Name.Contains("BinarySecurityToken")
               select element).First();
            string encodedCertificate = binarySecurityToken.InnerText;
            byte[] decodedContent = Convert.FromBase64String(encodedCertificate);
            return new X509Certificate2(decodedContent);
        }


    }
}

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" SOAP-ENV:mustUnderstand="1">
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-81591DAC97D1A4EF26139995608718319">MIIROTCCECGgAwIBAgIQD2AtUFHRJ/PkEI4BTHIMwDANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBDQS0zMB4XDTExMTAwMzAwMDAwMFoXDTE0MTIxMDEyMDAwMFowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDFNhbnRhIE1vbmljYTEgMB4GA1UEChMXRWRnZUNhc3QgTmV0d29ya3MsIEluYy4xIDAeBgNVBAMTF2dwMS53YWMuZWRnZWNhc3RjZG4ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1K3ZOsUnhUTxZgquo3P2QZ3KJxdugFaKGfPIxkaEaX4pQl6uOVCjcMbzsh/RoW3XBGbo1Gp9KibpYMCwjSYyRNvr4TZsjjLoY1+WfFIHD+3PwkFyIzQo9oZdr9hViSI0DENmdqTbJJVODuQt4jjUgNuCTIRdPrHS+MR4OTwvtGQRwc358/deZVdoWNMhcyBQaxXGVZskJpFKHr3waFW5yMt4JGy2QuCMYZCNHftZlLLXOezcWZBldxi/BNTTDgeQvzZNCNR290qu2hddqF6vivjbgBncRhEQ1ZVdTHON7iy5e66smEKtDNmfBobHHUvOuhOYXNhawiayJuYgvriVQIDAQABo4INyjCCDcYwHwYDVR0jBBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cwHQYDVR0OBBYEFBQVJB6vf7Wp91ztREPqVFypreKRMIIMIQYDVR0RBIIMGDCCDBSCF2dwMS53YWMuZWRnZWNhc3RjZG4ubmV0ghN3YWMuZWRnZWNhc3RjZG4ubmV0ghZuZS53YWMuZWRnZWNhc3RjZG4ubmV0gg1zd2YubWl4cG8uY29tghVjZG4udHJhY2VyZWdpc3Rlci5jb22CDnMudG1vY2FjaGUuY29tghFzLm15LnRtb2NhY2hlLmNvbYINZTEuYm94Y2RuLm5ldIINZTIuYm94Y2RuLm5ldIINZTMuYm94Y2RuLm5ldIINd3d3LnNvbm9zLmNvbYIac3RhdGljLWNhY2hlLnRwLWdsb2JhbC5uZXSCFXNzbC1jZG4uc29tZXRyaWNzLmNvbYIjY2FjaGUudmVoaWNsZWFzc2V0cy5jYXB0aXZlbGVhZC5jb22CEXN0YXRpYy53b29wcmEuY29tgg9pbWFnZXMuaW5rMi5jb22CF2Fzc2V0cy1zZWN1cmUucmF6b28uY29tggxlYy5wb25kNS5jb22CFWltYWdlcy5lc2VsbGVycHJvLmNvbYIPdXNlLnR5cGVraXQuY29tghFzdGF0aWMuaXNlYXR6LmNvbYIVc3RhdGljLnd3dy50dXJudG8uY29tghhpbnBhdGgtc3RhdGljLmlzZWF0ei5jb22CF3NlY3VyZS5hdmVsbGVhc3NldHMuY29tghBzdGF0aWMuZHVibGkuY29tghR3d3ctY2RuLmNpbmFtdXNlLmNvbYITd3d3LWNkbi5jaW5lYmxlLmNvbYIVd3d3LWNkbi5jaW5lbWFkZW4uY29tghR3d3ctY2RuLmZpbG1sdXNoLmNvbYIWd3d3LWNkbi5mbGl4YWRkaWN0LmNvbYIRd3d3LWNkbi5pdHNoZC5jb22CFHd3dy1jZG4ubW92aWVhc2UuY29tghV3d3ctY2RuLm1vdmllbHVzaC5jb22CEnd3dy1jZG4ucmVlbGhkLmNvbYIUd3d3LWNkbi5wdXNocGxheS5jb22CE2NkbjEuZmlzaHBvbmQuY28ubnqCFGNkbjEuZmlzaHBvbmQuY29tLmF1gg13d3cuaXNhY2Eub3JnghJjZG4ub3B0aW1pemVseS5jb22CFXN0YXRpYy5zaG9lZGF6emxlLmNvbYIYd3d3LnRyYXZlbHJlcHVibGljLmNvLnVrgg5jZG4ubnByb3ZlLmNvbYISc3NsYmVzdC5ib296dHguY29tghZ3d3cudHJhdmVscmVwdWJsaWMuY29tghV3d3cuYmxhY2tsYWJlbGFkcy5jb22CEGNkbi53aG9pcy5jb20uYXWCF25lMS53YWMuZWRnZWNhc3RjZG4ubmV0ghdnczEud2FjLmVkZ2VjYXN0Y2RuLm5ldIIYYzEuc29jaWFsY2FzdGNvbnRlbnQuY29tghV3d3cuc3RlZXBhbmRjaGVhcC5jb22CFnd3dy53aGlza2V5bWlsaXRpYS5jb22CEXd3dy5jaGFpbmxvdmUuY29tghB3d3cudHJhbWRvY2suY29tghB3d3cuYm9ua3Rvd24uY29tghB3d3cuYnJvY2lldHkuY29tghNlZGdlY2FzdC5vbmVncnAuY29tggtjZG4ucHN3Lm5ldIIOY2RuLmdhZ2dsZS5uZXSCFHd3dy1jZG4ucmVlbHZpZHouY29tgg5mYXN0LmZvbnRzLmNvbYISZWMueG5nbG9iYWxyZXMuY29tgg9pbWFnZXMudnJiby5jb22CEmJldGEuZmlsZWJsYXplLm5ldIIaY2RuLmJyYW5kc2V4Y2x1c2l2ZS5jb20uYXWCEXd3dy1jZG4uaXJlZWwuY29tghBjZGNzc2wuaWJzcnYubmV0ghFjZG4uYmV0Y2hvaWNlLmNvbYIQcGxheWVyLnZ6YWFyLmNvbYIUZnJhbWVncmFicy52emFhci5jb22CEHRodW1icy52emFhci5jb22CG3N0eWxpc3Rsb3VuZ2Uuc3RlbGxhZG90LmNvbYIRd3d3LnN0ZWxsYWRvdC5jb22CEWNvbnRlbnQuYXFjZG4uY29tghZjb250ZW50LmViZ2FtZXMuY29tLmF1ghVjb250ZW50LmViZ2FtZXMuY28ubnqCE2ltYWdlcy5wYWdlcmFnZS5jb22CFGltYWdlcy5hbGxzYWludHMuY29tghZjZG5iMS5rb2Rha2dhbGxlcnkuY29tghFjZG4ub3JiZW5naW5lLmNvbYITY2RuLnF1aWNrb2ZmaWNlLmNvbYITY29udGVudC5nbHNjcmlwLmNvbYIOY2RuLmJpZGZhbi5jb22CFG1lZGlhLnF1YW50dW1hZHMuY29tghVjZG4uYWxsZW5icm90aGVycy5jb22CEXBpY3MuaW50ZWxpdXMuY29tghVwaWNzLnBlb3BsZWxvb2t1cC5jb22CFXBpY3MubG9va3VwYW55b25lLmNvbYIQY2RuMS1zc2wuaWhhLmNvbYIOcy5jZG4tY2FyZS5jb22CE2NkbjItYi5leGFtaW5lci5jb22CDGNkbi50cnRrLm5ldIIQZWRnZWNkbi5pbmsyLmNvbYIeZWMuZHN0aW1hZ2UuZGlzcG9zb2x1dGlvbnMuY29tgg5jZG4uY2x5dGVsLmNvbYIXd2VsY29tZTIuY2Fyc2RpcmVjdC5jb22CEnMxLmNhcmQtaW1hZ2VzLmNvbYIPdXBkYXRlLmFsb3QuY29tghJ3d3cub3V0c3lzdGVtcy5jb22CEHd3dy5kcndtZWRpYS5jb22CE2xvb2t1cC5ibHVlY2F2YS5jb22CDmNkbi50YXhhY3QuY29tghRjZG4udGF4YWN0b25saW5lLmNvbYIOY2RuLjIwMDU4MS5jb22CDWltZy52eGNkbi5jb22CDGpzLnZ4Y2RuLmNvbYIMd3d3LmdvYWwuY29tghZjZG5zMS5rb2Rha2dhbGxlcnkuY29tghZlZGdlLmRyb3Bkb3duZGVhbHMuY29tghFlZGdlLnBhZ2VyYWdlLmNvbYIVZWRnZS5zYW5pdHlzd2l0Y2guY29tgg9lZGdlLnlvbnRvby5jb22CEWxheWVycy55b250b28uY29tghRjZG4ud2lkZ2V0c2VydmVyLmNvbYISd3d3LmNsb3Vkd29yZHMuY29tghBlZGdlLmFjdGFhZHMuY29tghVpbWFnZXMuc2tpbmNhcmVyeC5jb22CEnNzbC5jZG4tcmVkZmluLmNvbYIVc21hbGwub3V0c28tbWVkaWEuY29tghBjZG4uZm94eWNhcnQuY29tghVlZGdlLmplZXR5ZXRtZWRpYS5jb22CEWNkbi50aWNrZXRmbHkuY29tghdpbWFnZXMuY29zbWV0aWNtYWxsLmNvbYITd3d3LmJhY2tjb3VudHJ5LmNvbYIOc3NsLmJvb3p0eC5jb22CDXAudHlwZWtpdC5uZXSCD3VzZS50eXBla2l0Lm5ldIIUY2RuLnRoZXdhdGVyc2hlZC5jb22CH3N0YXRpYy5jZG4uZG9sbGFyc2RpcmVjdC5jb20uYXWCGGVkZ2UucmVkZm9yZG1lZGlhbGxjLmNvbYIXZWRnZS5wbHVyYWxtZWRpYWxsYy5jb22CGnd3dy5nb3VybWV0Z2lmdGJhc2tldHMuY29tghp3d3cubnVtYmVyaW52ZXN0aWdhdG9yLmNvbYIdYjJicG9ydGFsLmRpc25leWxhbmRwYXJpcy5jb22CImIyYnBvcnRhbC5kaXNuZXl0cmF2ZWxhZ2VudHMuY28udWuCC3d3dy5ud2Yub3JnghJhc3NldHMuemVuZGVzay5jb22CDGEuY2Rua2ljLmNvbYIMcy5jZG5raWMuY29tghl3d3cuc3VwZXJiaWtldG95c3RvcmUuY29tghZjZG4uc3R5bGV0aHJlYWQuY29tLmF1ghJjZG4uY2FydHJhd2xlci5jb22CI3B1YmxpY3N0YXRpY2Nkbi50YWJsZWF1c29mdHdhcmUuY29tghNzZWN1cmUuMzNhY3Jvc3MuY29tgg5jLnp0c3RhdGljLmNvbYIMYy5tc2NpbWcuY29tghhzdGF0aWMudGVhbXRyZWVob3VzZS5jb22CEHd3dy5lZGdlY2FzdC5jb22CGHdhYy5hOGI1LmVkZ2VjYXN0Y2RuLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZzI3LmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1nMjcuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VDQS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBgDQfkvzhPs4cvyN0P+Ztwh7/u8peAVPxfP6bs0zT55v5QbHFapmuvCyP40oNrGYbNArrN0ZbchA2vpYWhyLpi6VIRNeH0nQM7nn8HxkrHcAGjjHYn7VNIHg+AR+Mrx1WhFE5kaaw6e7DZh/vbshx6DRW2pqSvdDu2v2l/V4oli1iz0lYkVl/yLXXCNWpQHQhI2tcQ0YI5suw/NlXJ7f6De0SFEtsf2K65XKF2mrqVX1amiNbiyqKD40i7qYI7XaAX5Rf+YXfcgcGH6svRchDeNlMXmfS53IFmi7/aToZRkp+pLA5fQ1QsJmPjf8cwVX4+tWFNhVLH/kUZKZ1gqL/R</wsse:BinarySecurityToken>
            <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_81591DAC97D1A4EF26139995608705916" IssueInstant="2014-05-13T04:41:27.065Z" Version="2.0" xsi:type="saml2:AssertionType">
                <saml2:Issuer>
www.example.com</saml2:Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#_81591DAC97D1A4EF26139995608705916">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <ds:DigestValue>Q8nxma/rf1XRfxq46oR7vaj/1yA=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>CzkNUiZppovAIY/atOQzRQfirJ8yFcwbTnwSz8tKcJgx5nYMP23jRZ855lo20laazvoducWqWYDOqGtK4+yzsQmN8OvUkedSzT++KJHUf68LV2ubdmOZ9o6ktLGFsVoj8XGZYlrYHj4mQuuWcBMYgPItiE5kMOPuUWT/8CDS8HkjD0twc7m8/HkQ+PzHfcNSdRHBldH/tXPu3RcOchUjT/LrH6j5A1vdz4aWF7IizKIhtDtu4/dedR1S3DiSj3KG0p2tPxVVEzJX0D1KSyGASxgeP1Sxux0+omZI8U8V2r6cupNaFxg/7iPkA3OFPcbVvOzYL/GLPUcaysFpOdI/cg==</ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIIEdjCCA16gAwIBAgIILBjgSyHeH78wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE2MTIxNDExWhcNMTQxMDE0MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKMwph
144V2I3T0MfpUCYOgRASpo9gOTP/jVfkart6L2Y5OkJRWLPf2kjFHu9lneFMUkYU
SF/FM62prDo256Hw19/ec8GqfeeWgdn/I7F1GWeAWH96hah0hx0mKApoUN+S3jCD
8ZUEq3CG5WosyFaior0ms/M6lxVg+qFpZMr40jiM8wmBmNdUPaRpFa00EXKSvEN4
wkOcy3/chrZhvYvaPynbqESWslyIWjBbS1fo8HmE4tccf3hw3BzO75pmkjMJy/nG
G5NfB0sV8TvwKClF7UYj16gKMFOmGzYrKsMJJZdACbPcEHZJsvs49SGTLLTQECk6
MGWpB8mco2gxMHOXAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSG63QhKSoMLrf/MwcMKcIpgpLsezAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCHHplYC1ORmY7GI7NuJrV23e0Tc8NZ
zIHwBr/MKHeu07h8tXw6empmo8Jpl72xCAlMdiaJ6gnx3T8euJdj387P60uIvYba
nSJt8hxwlOKxHWbK5WoIjlSERfD0Q8rJ7Sv77wsKv7HKxJgsjn1Eg8VeO0ruhmgO
6PT8pdRYazvxl82Mzs3rqXZKCslIa1OBt/nKaBDJ8Rl+J+LZ0idFXCj/oRUhSoaw
W0+zmPBMCJJkSom61LumjGXgU/TMLBCWI2NZp7JhUOoOkeb/lOMcZJIYQ7+zCtJH
P3gUMNJhX3uyZH1FzyAg9rpenMGSYMUPB2MXmKQi5b2Zu4qHiLjsJ0MK</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml2:Subject>
                    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">
Tester</saml2:NameID>
                    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
                </saml2:Subject>
                <saml2:Conditions NotBefore="2014-05-13T04:41:27.117Z" NotOnOrAfter="2014-05-13T04:46:27.117Z"/>
                <saml2:AuthnStatement AuthnInstant="2014-05-13T04:41:27.113Z">
                    <saml2:AuthnContext>
                        <saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
                    </saml2:AuthnContext>
                </saml2:AuthnStatement>
            </saml2:Assertion>
            <wsse:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" wsu:Id="STRSAMLId-81591DAC97D1A4EF26139995608718320">
                <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
_81591DAC97D1A4EF26139995608705916</wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-81591DAC97D1A4EF26139995608718622">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="SOAP-ENV"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-81591DAC97D1A4EF26139995608718421">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>
JLjybHqBnly5B2u2yhvTCTnn3os=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#STRSAMLId-81591DAC97D1A4EF26139995608718320">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </wsse:TransformationParameters>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>
g3PCuPeWIcXW9HFYYuLJp2lrVwM=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
gGZU5Fwzd86oNABwaX0kzlWU0XVR4HUAp/F04WwxgVI7TThTK/e4OdvyvFJ2tt3kaItoWXhS+YgVnv+4MqmeqAZU+dYvJVuDD+mXjlhokKjHr8RKjLKaKIMIJOcApQrrKqbX0BrT1VySdnARLm3z+z4R0EWU+FNUSFg3nFKA2w63NARAZzeVs4dmFNJH8JtIvh4qHOytpEzJVnBG0bcnVD5BMeLZFZVFP3PCFwLEyb01QMe84GR60HocVPszHbQYnahYVtVABtOkFZjWj8+6C3pM+jaSa0QgB8Kvlwnkr/I8qU1q4HP2gvFkAMl9PZqfsO2zYn6OX6Gihcm4KJ/K3g==</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-81591DAC97D1A4EF26139995608718317">
                    <wsse:SecurityTokenReference wsu:Id="STRId-81591DAC97D1A4EF26139995608718318">
                        <wsse:Reference URI="#CertId-81591DAC97D1A4EF26139995608718319" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
        <WSHeader xmlns="http://www.example.com/WSHeader.xsd">
            <UsernameToken>
                <Username>
Tester</Username>
                <Nonce>
ODE1OTFEQUM5N0QxQTRFRjI2MTM5OTk1NjA4NTUyOTE1</Nonce>
                <Created>
2014-05-13T04:41:25.529Z</Created>
            </UsernameToken>
        </WSHeader>
        <ns1:attachmentHash xmlns:ns1="http://www.example.com/schemas/attachmenthash" SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next" SOAP-ENV:mustUnderstand="0">
            <ns1:hashValue>
7WxA7WJauYkMVd7KzK369YFQKS8=</ns1:hashValue>
        </ns1:attachmentHash>
        <ns1:standardAttachment xmlns:ns1="http://www.example.com/Attachment.xsd">
            <Attachment>
                <id>
1</id>
                <compressFlag>
yes</compressFlag>
                <compressMethod>
gzip</compressMethod>
            </Attachment>
        </ns1:standardAttachment>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-81591DAC97D1A4EF26139995608718421">
        <submitTest xmlns="http://www.example.com/Test">
            <AttachmentInfo xmlns="http://www.example.com/Attachment.xsd">
                <attachmentData>
                    <Include xmlns="http://www.w3.org/2004/08/xop/include" href="cid:2b380066-5b7e-4d5c-949d-f11d41d1cd1b"/>
                </attachmentData>
            </AttachmentInfo>
        </submitTest>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

if (elementContainer.SourceSigningToken != null)
{
if (ShouldSerializeToken(this.signingTokenParameters, this.MessageDirection))
{
this.StandardsManager.SecurityTokenSerializer.WriteToken(writer, elementContainer.SourceSigningToken);

// Implement Protect token 
// NOTE: The spec says sign the primary token if it is not included in the message. But we currently are not supporting it
// as we do not support STR-Transform for external references. Hence we can not sign the token which is external ie not in the message.
// This only affects the messages from service to client where 
// 1. allowSerializedSigningTokenOnReply is false.
// 2. SymmetricSecurityBindingElement with IssuedTokens binding where the issued token has a symmetric key.

if (this.ShouldProtectTokens)
{
    this.WriteSecurityTokenReferencyEntry(writer, elementContainer.SourceSigningToken, this.signingTokenParameters);
}
}
}