We are recieving an exception when validating an assertion with a OneTimeUse Condition. We do not see a way to override or change this behavior. Any help?
Exception: Microsoft.IdentityModel.Tokens.SecurityTokenValidationException: IDX13510: The Saml2SecurityToken cannot be validated because the Assertion specifies a OneTimeUse condition.Enforcement of the OneTimeUse condition is not supported by default.To customize the enforcement of OneTimeUse condition, extend Saml2SecurityTokenHandler and override ValidateOneTimeUseCondition. at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateOneTimeUseCondition(Saml2SecurityToken securityToken, TokenValidationParameters validationParameters) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) at ITfoxtec.Identity.Saml2.Tokens.Saml2ResponseSecurityTokenHandler.ValidateToken(SecurityToken token, String tokenString, Saml2Response saml2Response, Boolean detectReplayedTokens) at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadClaimsIdentity(String tokenString, Boolean detectReplayedTokens) at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature, Boolean detectReplayedTokens) at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature, Boolean detectReplayedTokens) at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
We tried exploring the options classes and extending the handler but neither seem viable.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_381479691072dae3061c8eb476d8f638726d827456" IssueInstant="2023-01-04T19:59:55.431Z" Destination="https://p-dv-vm-tee8won:443/Relativity/Identity/98E1EA02C6824DB779469702E3C3A50DF55188D3"><saml:Issuer>https://capriza.github.io/samling/samling.html</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_b4062517bccdf96dd61be6ad16374ba6aac7bccca6" IssueInstant="2023-01-04T19:59:55.383Z"><saml:Issuer>https://capriza.github.io/samling/samling.html</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_b4062517bccdf96dd61be6ad16374ba6aac7bccca6"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>czTc3X2L2jmH8hZmbw8CnVbLGWIOCgWpQhLb6cMIRF4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>NH/nBTI88+D7KqA26IahTsf6bpXqSdBsGf/Bk4gvtJ9NGzfEJ14Pxh9fhYgq47begLqSY61Whoek6CQs908p8Qck37BFtvxR4gsWFULGIbb7ybsEMqajBR0pVDarxcC04bgXTa2nmMs2CO0lwl6lBMAEOQaf/03W8SxLSh2ovPQ=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICpzCCAhACCQDuFX0Db5iljDANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEQMA4GA1UECgwHU2FtbGluZzEPMA0GA1UECwwGU2FsaW5nMRQwEgYDVQQDDAtjYXByaXphLmNvbTEmMCQGCSqGSIb3DQEJARYXZW5naW5lZXJpbmdAY2Fwcml6YS5jb20wHhcNMTgwNTE1MTgxMTEwWhcNMjgwNTEyMTgxMTEwWjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEQMA4GA1UECgwHU2FtbGluZzEPMA0GA1UECwwGU2FsaW5nMRQwEgYDVQQDDAtjYXByaXphLmNvbTEmMCQGCSqGSIb3DQEJARYXZW5naW5lZXJpbmdAY2Fwcml6YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJEBNDJKH5nXr0hZKcSNIY1l4HeYLPBEKJLXyAnoFTdgGrvi40YyIx9lHh0LbDVWCgxJp21BmKll0CkgmeKidvGlr3FUwtETro44L+SgmjiJNbftvFxhNkgA26O2GDQuBoQwgSiagVadWXwJKkodH8tx4ojBPYK1pBO8fHf3wOnxAgMBAAEwDQYJKoZIhvcNAQELBQADgYEACIylhvh6T758hcZjAQJiV7rMRg+Omb68iJI4L9f0cyBcJENR+1LQNgUGyFDMm9Wm9o81CuIKBnfpEE2Jfcs76YVWRJy5xJ11GFKJJ5T0NEB7txbUQPoJOeNoE736lF5vYw6YKp8fJqPW0L2PLWe9qTn8hxpdnjo3k6r5gXyl8tk=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">redactedemail#relativity.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2023-01-04T20:09:55.383Z" Recipient="https://p-dv-vm-tee8won:443/Relativity/Identity/98E1EA02C6824DB779469702E3C3A50DF55188D3"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2023-01-04T19:59:55.383Z" NotOnOrAfter="2023-01-04T20:09:55.383Z"><saml:AudienceRestriction><saml:Audience>https://p-dv-vm-tee8won/Relativity</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse></saml:OneTimeUse></saml:Conditions><saml:AuthnStatement AuthnInstant="2023-01-04T19:59:55.383Z" SessionNotOnOrAfter="2023-01-04T20:09:55.381Z" SessionIndex="_samling_4122095_80192495"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
I have newer herd about this problem I'm afraid.
Please add a decoded SAML 2.0 authn response which the problem.
**** EDITED ****
The SAML 2.0 authn response is rejected because it contains the OneTimeUse element.
<saml:OneTimeUse>
</saml:OneTimeUse>
The OneTimeUse element is optional in SAML 2.0. But not supported by the ITfoxtec Identity SAML library because the underling Microsoft components do not support it.
You can resolve the problem by asking the IdP to remove the empty OneTimeUse element.
Related
I'm setting up a saml2 authorization, and is using itfoxtec libary.
But from the idp i only get one attribute value and no NameId.
In my assertionConsumerService i get a ArgumentNullException on nameId.
They say that nameId is optional, so therefore they only send the attribute value.
So can you use itfoxtec without nameid or is it requred?
Adding stacktrace
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenReadException: IDX13102: Exception thrown while reading 'NameIDType' for Saml2SecurityToken. Inner exception: 'System.ArgumentNullException: IDX10000: The parameter 'value' cannot be a 'null' or an empty object. (Parameter 'value')
at Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier.set_Value(String value)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)'.
---> System.ArgumentNullException: IDX10000: The parameter 'value' cannot be a 'null' or an empty object. (Parameter 'value')
at Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier.set_Value(String value)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdType(XmlDictionaryReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameId(XmlDictionaryReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadNameIdentifier(XmlDictionaryReader reader, String parentElement)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadSubject(XmlDictionaryReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2Serializer.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSaml2Token(String token)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(String tokenString)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature, Boolean detectReplayedTokens)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature, Boolean detectReplayedTokens)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
at ...Controllers.AuthorizationsController.AssertionConsumerService() in ...Areas\Client\Controllers\AuthorizationsController.cs:line 95
You can use the ITfoxtec Identity SAML2 component without a NameID, but then you are not able to do logout or single logout. NameID is optional in login but not in logout and single logout.
Where are you experiencing a ArgumentNullException?
UPDATE
I have added support for issuing SAML 2.0 tokens without a NameID and testet that the component accept tokens without NameID. You should not experience an error. Are you using the latest version 2.8.2?
So I have two demo applications to test. One in .net 4.7 and the other in .net core 3.1.
When running the applications I'm getting different results depending the one used.
In both of them I put the CertificationValidationMode to None.
In .Net core I'm getting this error:
ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
which is good because I modified the assertion to extend the time for testing and at that point I'm assuming that the validation was bypassed and it is failing because it does not match.
In .Net Framework, this error is coming up:
ID4037: The key needed to verify the signature could not be resolved from the following security key
identifier
'SecurityKeyIdentifier(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()
at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()
at System.IdentityModel.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.ReadSecurityToken(XmlNode assertionElement)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.ReadSamlResponse(HttpRequest request, Saml2Response saml2Response)
Here I'm thinking that the validation is happening, it is not bypassed, and it is failing. Basically the Validation Mode is ignored.
Am I thinking this wrong?
Thanks
As you say the result looks correct regarding .NET core.
It looks like the .Net Framework cannot find a certificate that match the certificate used in the SAML. 2.0 AuthnResponse. Maybe the .Net Framework application is not configured with the correct certificate? I do not think it has anything to do with the Validation Mode.
I am trying to use ITFoxtec-saml with Auth0 as IdP. But on ACS, I am getting following error:
ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 237
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 204
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 66
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 214
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 106
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 96
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 70
at TestWebAppCore.Controllers.AuthController.AssertionConsumerService() in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\test\TestWebAppCore\Controllers\AuthController.cs:line 58
The ITFoxtec Identity SAML 2.0 component should accept the signature if it is valid. I do not know about problems validading Auth0 tokens.
To debug you can check if the signature algorithm and the certificate is correct. And maybe also try to set the certificate validation mode to none and the revocation mode to no check.
Configuration example:
"Saml2": {
...
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"CertificateValidationMode": "None",
"RevocationMode": "NoCheck"
...
}
I am using an idp initiated SSO flow. I am using Kentor.AuthServices using OWIN middleware.
Most of the flow works except, user identity is not getting SET when the control reaches my callback method after successfully processing the SAML response.
Setting in web.config:
<kentor.authServices entityId="https://one-staging.com/MVSAMLServiceProvider"
returnUrl="https://5814a15e.ngrok.io/api/Account/UnsolicitedExternalLogin">
<identityProviders>
<add entityId="https://shibidp.edu/idp/shibboleth"
metadataLocation = "~/Providers/SAML2/Metadata/shibidp.edu.xml"
allowUnsolicitedAuthnResponse="false"
disableOutboundLogoutRequests="false"
binding="HttpRedirect">
</add>
<add entityId="abb:one:saml20:idp"
metadataLocation="~/Providers/SAML2/Metadata/abb.xml"
allowUnsolicitedAuthnResponse="true"
disableOutboundLogoutRequests="false"
binding="HttpRedirect">
</add>
</identityProviders>
</kentor.authServices>
Here is my Startup.cs:
public void ConfigureOAuth(IAppBuilder app)
{
app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
//For Dev enviroment only (on production should be AllowInsecureHttp = false)
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/oauth2/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
Provider = new CustomOAuthProvider(),
AccessTokenFormat = new CustomJwtFormat()
};
// OAuth 2.0 Bearer Access Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
{
ClientId = System.Configuration.ConfigurationManager.AppSettings["GoogleClientId"],
ClientSecret = System.Configuration.ConfigurationManager.AppSettings["GoogleClientSecret"],
Provider = new GoogleAuthProvider()
};
app.UseGoogleAuthentication(googleAuthOptions);
app.Use(async (Context, next) =>{await next.Invoke();});
app.UseKentorAuthServicesAuthentication(CreateSAMLAuthServicesOptions());
app.Use(async (Context, next) =>{await next.Invoke();});
}
Here are the Kentor logs (no errors in the logs):
DEBUG 2018-12-28 14:02:32,682 8859ms emv-authService-logger MoveNext - Received unsolicited Saml Response _t0r6DHtsGygxkYcfNzdkEs72.M which is allowed for idp abb:one:saml20:idp
DEBUG 2018-12-28 14:02:32,729 8906ms emv-authService-logger MoveNext - Signature validation passed for Saml Response _t0r6DHtsGygxkYcfNzdkEs72.M
DEBUG 2018-12-28 14:02:32,729 8906ms emv-authService-logger MoveNext - Extracted SAML assertion oN4v.k9x2GE7s5S8OdeNWS.93j9
DEBUG 2018-12-28 14:02:32,729 8906ms emv-authService-logger MoveNext - Validated conditions for SAML2 Response _t0r6DHtsGygxkYcfNzdkEs72.M
INFO 2018-12-28 14:02:32,729 8906ms emv-authService-logger ProcessResponse - Successfully processed SAML response _t0r6DHtsGygxkYcfNzdkEs72.M and authenticated 10035094
Finally my redirect method:
[OverrideAuthentication]
[HostAuthentication(DefaultAuthenticationTypes.ApplicationCookie)]
[AllowAnonymous]
[Route("UnsolicitedExternalLogin", Name = "UnsolicitedExternalLogin")]
public async void GetUnsolicitedExternalLogin()
{
bool isAuthenticated = User.Identity.IsAuthenticated; //getting false
}
I have unfortunately been stuck with this problem for a week now. I'm sure this is really close to getting done, so any help would be greatly appreciated.
Thanks!
Looking at the code, I think that there is a mismatch on authentication schemes.
In the pipeline setup, a cookie middleware for the external authentication scheme is setup. But in the GetUnsolicitedExternalLogin method, the ApplicationCookie scheme is referenced. Change it to reference the external scheme instead.
It is also a good idea to check if the redirect from ~/AuthServices/Acs to GetUnsolicitedExternalLogin sets an external authentication cookie.
ThingsService is a webservice interface generated by jax-ws (stripped of annotations for the sake of brevity). There is one parameter-less method:
public interface ThingsService {
AvailableThingsResponse getAvailableThings();
}
Trying to call the no-parameters operation from a Camel route using CXF like this:
from("timer:start?fixedRate=true")
.setHeader(CxfConstants.OPERATION_NAME, constant("getAvailableThings")
.to("cxf:http://localhost:8080/services/things"
+ "?serviceClass=" + ThingsService.class.getName());
causes Camel to barf when calling the endpoint:
java.lang.IllegalArgumentException: Get the wrong
parameter size to invoke the out service, Expect size 0, Parameter
size 1. Please check if the message body matches the CXFEndpoint POJO
Dataformat request.
at org.apache.camel.component.cxf.CxfProducer.checkParameterSize(CxfProducer.java:283)
at org.apache.camel.component.cxf.CxfProducer.getParams(CxfProducer.java:321)
at org.apache.camel.component.cxf.CxfProducer.process(CxfProducer.java:131)
at org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)
at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:542)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:197)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:120)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:197)
at org.apache.camel.component.timer.TimerConsumer.sendTimerExchange(TimerConsumer.java:192)
at org.apache.camel.component.timer.TimerConsumer$1.run(TimerConsumer.java:76)
at java.util.TimerThread.mainLoop(Timer.java:555)
at util.TimerThread.run(Timer.java:505)
The CXF endpoint is in POJO mode, exchange body being sent to the endpoint is null.
What's the proper way of calling a no-params WS operation from Camel route using CXF component?
Turns out that no-params is represented using an empty array:
from("timer:start?fixedRate=true")
.setHeader(CxfConstants.OPERATION_NAME, constant("getAvailableThings")
.transform().body(o -> new Object[0])
.to("cxf:http://localhost:8080/services/things"
+ "?serviceClass=" + ThingsService.class.getName());