Metro (2.1.1) client submits a request to a WCF/WIF web service (.NET 3.5) using a SAML 2 assertion (bearer confirmation) as a signed supporting token generated by a Metro STS (see WSDL).
In this scenario, the WCF service throws the following (inner) exception when validating the digest of the (STR) referenced SAML 2 assertion:
<ExceptionType>System.Security.Cryptography.CryptographicException, mscorlib, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Digest verification failed for Reference '#uuid_835ea2da-79f7-4b30-8790-5c86943c3769'.</Message>
where the element with ID: "uuid_835ea2da-79f7-4b30-8790-5c86943c3769" is the reference to the SecurityTokenReference element that references the SAML assertion.
SOAP main signature references the attached SAML assertion using a SecurityTokenReference element via the STR-Transform in compliance with the WSS SAML Token Profile 1.1.
In addition we tested the following scenarios:
Metro client to Metro service (works)
WCF client to WCF service (works)
WCF client to Metro service (works)
Metro client to WCF services (DOESN"T WORK)
In all these additional scenarios (first three), digest and signature verification passes. (attached is Java code that allows digest validation).
Furthermore, we modified the Metro source to eliminate STR-Trasform and directly sign the SAML assertion from the main signature (instead of using a SecurityTokenReference and the STR-Transform).
With eliminated STR-Transform the Metro client can talk to WCF service with no problem, although now we are now not complying with the WSS SAML Token Profile 1.1.
This result suggests a problem in the Metro's generation of the SOAP message signature, specifically the signature of the signed supporting tokens using the STR dereference transform (STR-Transform).