I have to write a .NET WCF Service which relies on SAML2 Tokens issued by WSO2 Identity Server. It is afforded that everything from wst:secondaryparameters (eg. Claims) is validated by the WSO2 Security Token Service. I'm not able to do this, because it seems that WSO2 is ignoring the secondaryparameters. If I request the claims directly under the RequestSecurityToken they are validated correctly in the RSTR.
Here's my sample RST created with Soap-UI for testing purposes:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header/>
<soap:Body>
<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
<wsp:AppliesTo>
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://example.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:SecondaryParameters>
<wst:Claims wst:Dialect="http://wso2.org">
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname"/>
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress"/>
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/username"/>
</wst:Claims>
</wst:SecondaryParameters>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
...and the RSTR received by WSO2 STS - missing the Claims requested:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-75" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-06-10T09:59:22.813Z</wsu:Created>
<wsu:Expires>2021-06-10T10:04:22.813Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#urn:uuid:EB6235F9B55E496D821623319162707" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="urn:uuid:EB6235F9B55E496D821623319162707" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://example.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2021-06-10T09:59:22.703Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2021-06-10T10:04:22.703Z</wsu:Expires>
</wst:Lifetime>
<wst:RequestedSecurityToken>
<saml2:Assertion ID="urn:uuid:EB6235F9B55E496D821623319162707" IssueInstant="2021-06-10T09:59:22.703Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://sts.example.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#urn:uuid:EB6235F9B55E496D821623319162707">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Ty9kARjgU99DnLmK5g8UQeP0ekM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>RPZEPn9oJeQLKE/Fk0jqRUaTnlOvpwcL6iuPKnSi0MbUNf6sbZBC1jmrz8YfLm5XYUpfxQTXv7Xm
9Ck5B61dXevke/MiiZhHViSGeRhumPyLmNGTyMTZMuKEUs/J+xAtjCOgGM7vo6QfILooYfGMBoP+
u22ITTyjiTDwShTGaj9E54FvtO3AAjA27LDNZu2gM8eDdNKKvS6wfq32WVsoNBRaJ3sjC0fshlp7
eBljJhovQ7/Ll8/4PeriaQtXagp9Xsn56nEW8iEBzFQUg9ViVqnr5Jk5GhfbfhXOYRTmZvDBFdRO
r9D4bH97BGbkmRH4+Ha0AtpjO2JdSaPIBQq61Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDYDCCAkigAwIBAgIEDUzx7TANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJMSzELMAkGA1UE
CBMCV1MxCzAJBgNVBAcTAlNMMQ0wCwYDVQQKEwRXc28yMQswCQYDVQQLEwJJczEVMBMGA1UEAxMM
c3RzLm11a2kuY29tMB4XDTIxMDYwNzEzNDc0NloXDTIxMDkwNTEzNDc0NlowWjELMAkGA1UEBhMC
TEsxCzAJBgNVBAgTAldTMQswCQYDVQQHEwJTTDENMAsGA1UEChMEV3NvMjELMAkGA1UECxMCSXMx
FTATBgNVBAMTDHN0cy5tdWtpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJR3
QeuRdQwidvlyKPi+CPWIpp6qmS0LIxlNSJpmu+e1al5Et6WtNPBKra/d2viKZ19HIhBgk6DVduyG
TnWBW+Dqu1pJ4+6Ks4jxnr8ofB7vr9dUHNxXqNW/HkLiDhMH4GxbcSlG3/7r3bgTBRYHHwxMFoHA
PJ6KaFFYGvfyBhdrprtbqlFJZ5pUfGlAZCdNFu5ES6F+ZEMLbUQv5nv5JsdxbH8X3lTkf7cHYfMP
ucC5mspJMcZWFpZ/AbaT8hQiNY9LalcFYaP/nwymxPXRWn/s/8SODHtcLm27JQPgNFTJK9jr9dBp
SDZubcqFTvECQYZrXwFuR/gS+yufQxf5yqMCAwEAAaMuMCwwHQYDVR0OBBYEFKNHL3ppD1CNxUYe
APM/KYoNahSSMAsGA1UdDwQEAwIEEDANBgkqhkiG9w0BAQsFAAOCAQEAVgSqQC3hQvbmJFMx+S8B
YiRSkWvARFusBTU6oZVLvwbxGYUqKnoUGJKEYvnmJA6bKOvWFOafX22elYFOMNLF8HxY4zjYyZMn
a+RCg00nH7Wgl8GGXtYc7MsUfaVdD5kUxBuiADUTeJQf+kjd3MIZ9gvIAE9/XSENa+6n3/jiPJcY
6xTXfov+FB7sM3aE5R8Fy1Jwmry5Sr+TdpTQ9w0jZkjWH/ED8SB/OxiPH8tQ26dTkabpokJiL6cc
kAOpOfAOPqtclWaMRm12Qwg2yL1kAXbzw5/eDyGlJYd2Y6QFt7dBW1mS+XrGqcsewt7PDtnSEa8U
lNF13dcErg3bnzaJsQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-06-10T09:59:22.703Z" NotOnOrAfter="2021-06-10T10:04:22.703Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://example.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-06-10T09:59:22.754Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</soapenv:Body>
</soapenv:Envelope>
How can I correctly request the secondaryparameters specified in WS-Trust 1.4 from WSO2 STS?