Click here to Skip to main content
15,888,025 members
Search within:


WCF custom credentials with Saml token
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
WCF
Hi,

I am trying to achieve the following:

1. Client calls an STS.
2. STS returns a saml token
3. The client calls any service providing the token.

For steps 1 and 2, I use regular WCF, nothing special, just serializing the saml token returned from the STS.


For step 3 I use client/service credentials, token manager, token serializer, authorization prolicy etc...
With step 3 I am trying to achieve:
1. The client sends the token he got from the STS
2. The service gets the token via the authorization context

What is the best way to achieve this?

One more thing: How do I apply the token parameter to an existing binding using the config? In other words, how do I make the following code but via the config (I can't use coding):


HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();

      // the message security binding element will be configured to require a credit card
      // token that is encrypted with the service's certificate 
      SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();
messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters());
      X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
      x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;
      messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
      return new CustomBinding(messageSecurity, httpTransport);


I am using .NET 3.5, cannot use WIF. Unfortunately, I cannot use federation, this is not an option as the service is peer-to-peer and the federation bindings are client server.
Posted
Updated 23-Aug-10 23:05pm
v2
Add a Solution
Comments
Keith Barrow 24-Aug-10 5:06am    
Edit: Some minor formating changes and added "Unfortunately, I cannot use federation, this is not an option as the service is peer-to-peer and the federation bindings are client server."

3 solutions

Don't call the STS directly from the client, it's the server's security, so the server must define trusted STSs. This is done through federation in the config.

The client negotiates contacting the STS in an initial call to the WCF Service, it then uses a protocol called spNego to get the Claims from the STS. It does this each time you call the service, if you don't keep a conversation going (or fudge a cache).

Things might have changed since WIF went live, but a guy called Cibrax was the person to listen to couple of years ago for all things STS:
WCF Binding in STS Scenarios[^]
 
Share this answer
 
Posted
Thanks Keith.
Unfortunately, I cannot use federation, this is not an option.

I am not concerned about interaction with the STS, I am concerned about the client service interaction.

Can you please help me with determining how to implement the following code via a config file (rather than hard coding):
HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();      // the message security binding element will be configured to require a credit card      // token that is encrypted with the service's certificate       SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters());      X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();      x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;      messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;      return new CustomBinding(messageSecurity, httpTransport);
 
Share this answer
 
Posted
Comments
Keith Barrow 23-Aug-10 5:21am    
I just need to ask why is this not an option? - The way I described is the way to do it, hand-rolling your calls is very complicated (I'm not even sure it's possible - the spNego protocol is/was closed) and setting up the trust relationship between the server and the STS isn't too bad.
Hi Keith,
Federation is one one, We need two way connection over tcp.

Is that such complicated to pass a predefined token to a service, using custom binding?

In theory, I only need to send the token from the client to the service. The client already has the saml token.
 
Share this answer
 
Posted
Comments
Keith Barrow 24-Aug-10 4:58am    
OK, I see why now. I tried to hand-roll Claims based security and had a terrible time. This was just as WCF was initially released, so resources were scarce. As more resources are available now YMMV.

The main problems are that, if you leave the spNego protocol/ federated trust relationship, the tokens are just passed as vanilla messages, they don't enter the security context of the client (forgive me if my terminology is a little off, I did this once a few years ago and it hasn't need much maintenance :-) ), so applying an authorisation policy becomes impossible. Additionally, as the framework "unpacks" the vanilla STS token message into an object, it can't really be trusted as the client can alter it and it loses its signing and encryption.
If you have managed to issue the token *properly*, you *might* be able to get this working. Sorry I can't be more help, I've only federated client/server WCF services.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Saml token
Custom Token Authetication in WCF
WCF Security Token Service
SAML Assertion must be signed
How to convert ClaimsPrincipal instance to SAML XML token
How to get user token in Wrap Credential Provider?
How to include SAML Token inside Security Token Service(STS)
WCF : The token provider cannot get tokens for target
Kerberos token for a given spn
Token management in WCF

Advertise
Privacy
Cookies
Terms of Use
Last Updated 24 Aug 2010
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900