Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

WCF: Federating WCF with WIF

Ask:

Federate WCF service via WIF

Traditional approach:

For normal web app or MVC app, we follow the concept of FedAuth cookie.

Client -> Federated Application, gets redirected to STS

Client -> STS, get claims

Client -> Federated Application validates claims and issue a Fed Auth Cookie.

Client -> This time call made with Fed Auth cookie and Federated application serves the request.

Approach for WCF Service:

WCF service by default uses the ws2007FederationHttpBinding.

This is a special binding designed to federate the WCF service. However, it does not work on above traditional approach. Rather this works on WCF Message Security principle.

Client -> Federated Application, get redirected to STS

Client -> Does Security Negotiation to get the SCT (Security Context Token) via RST/Issue Action.

Client (using SCT Token and Claims received via STS) -> Federated Application, here claims can be checked.

untitled4

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

In above screen we can see that there is only one RST/Issue or SCT call made between two calls to “GetData()” method. Because with WCF federation, we work on concept of using the WCF channel or SCT token negotiated with STS. There is no concept of FedAuth cookie, because WCF Federation is all about using Message Security protocol.

https://msdn.microsoft.com/en-us/library/bb675187(v=vs.110).aspx

WsFederation2007HttpBindindm only support Message Level security.

algorithmSuite=”Basic128/Basic192/Basic256/Basic128Rsa15/ Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15″

defaultProtectionLevel=”none/sign/EncryptAndSign”

issuedTokenType=”string”

issuedKeyType=”SymmetricKey/PublicKey”

From below screen shot, we can see client doing message security negotiation with the ADFS STS and not the actual Federated WCF application:

untitled

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

But, also check that the Body contains the actual address of the Federated WCF application or in other words our relying party address.

Once negotiation completes client received the SAML Assertion token from the ADFS or our custom STS.

purush

Once received, client can now present the Claims along with the SCT token negotiated with the ADFS STS to the federated WCF application.

untitled5

Unfortunately, WCF traces truncates the Claims in WCF traces, so we cannot see it. However, we can clearly see the SAML Assertion ID.

Simple WCF-WIF Federation sample can be created by following the below blog: https://blogs.msdn.microsoft.com/napegadie_kones_msft_blog/2015/02/09/claims-aware-wcf-using-wif-in-net-4-5/

Client application configuration: Caller to Federated WCF service

logMessagesAtServiceLevel=”true” logMessagesAtTransportLevel=”true” />

binding=”wsHttpBinding” bindingConfiguration=”https://adfs.contoso.com/adfs/services/trust/13/windowstransport”>

http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey

256

http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p

http://www.w3.org/2001/04/xmlenc#aes256-cbc

http://www.w3.org/2000/09/xmldsig#hmac-sha1

http://www.w3.org/2001/10/xml-exc-c14n#

http://www.w3.org/2001/04/xmlenc#aes256-cbc

binding=”ws2007FederationHttpBinding” bindingConfiguration=”WS2007FederationHttpBinding_IService1″

contract=”ServiceReference1.IService1″ name=”WS2007FederationHttpBinding_IService1″ />

WCF Federated Service configuration:

Sample Application:

https://1drv.ms/f/s!ArgnWb8iHXB6gqYXvg53egkGHFxdvw

Share the post

WCF: Federating WCF with WIF

×

Subscribe to Msdn Blogs | Get The Latest Information, Insights, Announcements, And News From Microsoft Experts And Developers In The Msdn Blogs.

Get updates delivered right to your inbox!

Thank you for your subscription

×