WCF Security Resources

If you're building Web services or if you're implementing SOA on the Microsoft platform , then you're probably either working with or exploring WCF (Windows Communication Foundation.)   When we started our patterns & practices WCF Security Guidance project, one of the first things I did was compile a list of WCF security resources for our team.  This helped us quickly ramp up and as well as see gaps.  One thing that surprised me is how much is available in the product documentation, if you know where to look.  Here's a preliminary look at our WCF Security resources index which we'll include in our WCF Security Guide: 

Getting Started

• Microsoft
  MSDN Library - Fundamental Windows Communication Foundation Concepts
• MSDN Library – Windows Communication Foundation Security
• WCF Security Documentation

Community

• DevX.com - Fundamentals of WCF Security, by Michèle Leroux Bustamante
• Server Side - WCF Security Learning Guide ,by Brent Sheets

Articles

Microsoft

• MSDN Library - The .NET Developer's Guide to Identity, by Keith Brown
• MSDN Magazine - Identity - Secure Your ASP.NET Apps And WCF Services With Windows CardSpace by Michèle Leroux Bustamante
• MSDN Magazine - IIS 7.0 - Extend Your WCF Services Beyond HTTP With WAS by Dominick Baier, Christian Weyer, and Steve Maine
• MSDN Magazine - Security Briefs - Exploring Claims-Based Identity - Keith Brown
• MSDN Magazine - Security Briefs - Limited User Problems and Split Knowledge, By Keith Brown
• MSDN Magazine - Security Briefs - Security in Windows Communication Foundation, by Keith Brown
• MSDN Magazine - Service Station - WCF Messaging Fundamentals by Aaron Skonnard

Community

• DevX.com - Fundamentals of WCF Security, by Michèle Leroux Bustamante
• TheServerSide.NET - Building a Claims-Based Security Model in WCF, by Michele Leroux Bustamente
• TheServerSide.NET - Building a Claims-Based Security Model in WCF - Part 2, by Michele Leroux Bustamente
• TheServerSide.NET - Securing Your WCF Service, by William Tay
• TopXML - BizTalk and WCF: Part II, Security Patterns, by Richard Seroter

Blogs

Microsoft

• J.D. Meier
• Kim Cameron
• Kenny Wolf
• Nicholas Allen
• Ralph Squillace
• Steve Maine
• Tomasz Janczuk
• Vittorio Bertocci
• Wenlong Dong

Community

• Dominick Baier
• Keith Brown
• Michèle Leroux Bustamante
• Thomas Restrepo

Channel9

Podcasts

• ARCast - Secure, Reliable Transacted Messaging with WCF (Part 1)
• ARCast - Secure, Reliable Transacted Messaging with WCF (Part 2)

ARCast.TV

• ARCast.TV - WCF Session Behavior from Slovenia

Videos

• Vittorio Bertocci: WS-Trust - Under the Hood

Tags

• WCF tag

Documentation (MSDN Product Documentation)

Overview

• Architecture
• Concepts
• Distributed Application Security
• Overview
• Security Architecture
• Terminology

Guidance

• Best Practices
• Best Practices for Queued Communication
• Best Practices for Reliable Sessions

Scenarios

• Common Scenarios
• Identity Model Scenarios

Threats and Countermeasures

• Threats and Countermeasures

Topics

• Auditing
• Authentication
• Authorization
• Authorization Mechanisms
• Bindings and Security
• Claims-Based Authorization
• Configuration Schema - Configuration Schema
• Federation and Issued Tokens
• Hosting
• Impersonation and Delegation
• Impersonation with Transport Security
• Message Security in WCF
• Partial Trust
• Reliable Sessions Overview
• SAML Tokens and Claims
• Security Capabilities with Custom Bindings
• Secure Conversations and Secure Sessions
• Securing Services and Clients
• SSL
• Transport Security Overview
• X.509 Certificates

How Tos

• How to: Audit Windows Communication Foundation Security Events
• How to: Configure Credentials on a Federation Service
• How to: Configure a Local Issuer
• How to: Configure a Port with an SSL Certificate
• How to: Consistently Reference X.509 Certificates
• How to: Create a Custom Binding Using the SecurityBindingElement
• How to: Create a Federated Client
• How to: Create a Secure Session
• How to: Create a Security Token Service
• How to: Create a Stateful Security Context Token for a Secure Session
• How to: Create a Supporting Credential
• How to: Create Temporary Certificates for Use During Development
• How to: Create a WSFederationHttpBinding
• How to: Create a Custom Reliable Session Binding with HTTPS
• How to: Disable Encryption of Digital Signatures
• How to: Disable Secure Sessions on a WSFederationHttpBinding
• How to: Enable Message Replay Detection
• How to: Exchange Messages Within a Reliable Session
• How to: Impersonate a Client on a Service
• How to: Make X.509 Certificates Accessible to WCF
• How to: Obtain a Certificate (WCF)
• How to: Restrict Access with the PrincipalPermissionAttribute Class
• How to: Retrieve the Thumbprint of a Certificate
• How to: Secure Messages within Reliable Sessions
• How to: Secure a Service with Windows Credentials
• How to: Secure a Service with an X.509 Certificate
• How to: Set Up a Signature Confirmation
• How to: Set a Max Clock Skew
• How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures (WCF)
• How to: Use the ASP.NET Authorization Manager Role Provider with a Service
• How to: Use the ASP.NET Membership Provider
• How to: Use the ASP.NET Role Provider with a Service
• How to: Use a Custom User Name and Password Validator
• How to: Use Multiple Security Tokens of the Same Type
• How to: Use Transport Security and Message Credentials
• How to: View Certificates with the MMC Snap-in

Guides

Community

• dasblonde.net - WCF Security Fundamentals, by Michèle Leroux Bustamante
• Server Side - WCF Security Learning Guide, by Brent Sheets

Posts

Microsoft

• Alexander Strauss   - WCF - Let's Start The Dialogue
• Alik Levine  - How To Consume WCF Using AJAX Without ASP.NET

Community

• Dominick Baier  - Using IdentityModel: Authorization Policies, Context and Claims Transformation
• Dominick Baier  - Using IdentityModel: Creating Custom Claim Sets
• Dominick Baier  - Using IdentityModel: Typical Operations on Claim Sets
• Dominick Baier  - Using IdentityModel: Windows and X509Certificate Claim Sets
• Dominick Baier  - Using IdentityModel: Inspecting Claim Sets
• Dominick Baier  - Using IdentityModel: Claim Sets
• Dominick Baier  - Using IdentityModel: Claims
• Dominick Baier  - Be careful with ServiceAuthorizationManager.CheckAccess()
• Dominick Baier  - UserName SupportingToken in WCF
• Paolo Pialorsi - WCF Custom Authentication and Impersonation
• Tomas Restrepo  - WCF Configuration Complexity

patterns & practices

• WCF Security Guidance Package

Product Support Services (PSS)

• WCF Troubleshooting Quickstart

Samples

Microsoft

• Basic Windows Communication Foundation Technology Samples
• Windows Communication Foundation Samples

Community

• WCF Security Full Demo 

Videos

• MSDN TV - Windows Communication Foundation Bindings and Channels by Clemens Vastor
• MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 10 of 15): Security Fundamentals (Level 200)

Web Casts

MSDN Support WebCasts

• MSDN Support WebCast: Building distributed services on the Windows Communication Foundation

Comments

• Anonymous
  May 23, 2008
  when you collect gold nuggets it becomes true treasure. Thanks for sharing this awesome collection alikl

• Anonymous
  May 25, 2008
  The comment has been removed

• Anonymous
  May 27, 2008
  Thanks for the kind words Alik!

• Anonymous
  June 04, 2008
  The key to making principles, patterns, and practices more effective is to have an organizing frame.

• Anonymous
  July 30, 2008
  WCF Security Resources http://blogs.msdn.com/jmeier/archive/2008/05/23/wcf-security-resources.aspx

• Anonymous
  October 28, 2008
  为了和大家分享，今天申请了个账号,把手头刚找到的wcf资料与大家分享！ 这个页面讲不断完善更新！

• Anonymous
  December 02, 2008
  The comment has been removed