Claims aware Wcf service that consumes a custom STS

 

I thought of creating a step by step document on how to enable a WCF claims base that authenticates user through a custom STS.

 

 

Custom STS creation:

1- Open Visual Studio and choose File à New à Web Sites

2- Select “WCF Security Token Service” from the “New Web Site” windows

clip_image001

VS will automatically generate an STS which is also hosted in IIS.

There is an entry in the associated web.config which I would like to outline:

 

<appSettings>

    <add key="IssuerName" value="ActiveSTS"/>

    <add key="SigningCertificateName" value="CN=STSTestCert"/>

    <add key="EncryptingCertificateName" value="CN=DefaultApplicationCertificate"/>

  </appSettings>

 

  In the above entries, the custom STS will use STSTestCert Certificate to sign the user token.

  Likewise, DefaultApplicationCertificate will be used to encrypt the user token.

  As I had my own cert, I made the following changes:

 

<appSettings>

           <add key="IssuerName" value="ActiveSTS"/>

          <add key="SigningCertificateName" value="CN=STSTestCert"/>

           <add key="EncryptingCertificateName" value="CN=localhost"/>

       </appSettings>

 

The remaining configuration can stay unchanged.

 

WCF service creation:

1- Create the claims aware WCF service

clip_image002

2- Right click on the WCF project and select “Add STS reference” from the menu

clip_image003

3- Verify that the path to the web.config is correct and pasted in the WCF url in “Application URI” combo box

clip_image004

4- Just click next

clip_image005

5- Choose “Use an existing STS” and paste in the STS metadata url in the “STS WS-Federation metadata document location” text box.

clip_image006

6- We would like to encrypt the claims token. Click on “Select an existing certificate from store” if you already possess one.

Otherwise, choose “Generate a default certificate” to get a self-sign cert which is only good for testing purpose.

clip_image007

7- Click next as the windows below just shows the default claims that will be serviced to the customer.

clip_image008

8- Click next and terminate.

 

The config file in the wcf service will be updated. Below is how mine looked like:

 

   1 <system.serviceModel>
  2 
  3     <services>
  4 
  5       <service name="ClaimsAwareWcf.Service" behaviorConfiguration="ClaimsAwareWcf.ServiceBehavior">
  6 
  7         <endpoint address="" binding="ws2007FederationHttpBinding"
  8 
  9 contract="ClaimsAwareWcf.IService" bindingConfiguration="ClaimsAwareWcf.IService_ws2007FederationHttpBinding" />
 10 
 11       </service>
 12 
 13     </services>
 14 
 15     <behaviors>
 16 
 17       <serviceBehaviors>
 18 
 19         <behavior name="ClaimsAwareWcf.ServiceBehavior">
 20 
 21           <federatedServiceHostConfiguration name="ClaimsAwareWcf.Service" />
 22 
 23           <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
 24 
 25           <serviceDebug includeExceptionDetailInFaults="false" />
 26 
 27          <serviceCredentials>
 28 
 29             <serviceCertificate findValue="7b2a501d8fe488c7b03f53e569081763d1326abc" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />   <-------------------- This cert matches localhost cert in STS
 30 
 31           </serviceCredentials>
 32 
 33         </behavior>
 34 
 35       </serviceBehaviors>
 36 
 37     </behaviors>
 38 
 39     <extensions>
 40 
 41       <behaviorExtensions>
 42 
 43         <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
 44 
 45       </behaviorExtensions>
 46 
 47     </extensions>
 48 
 49     <bindings>
 50 
 51       <ws2007FederationHttpBinding>
 52 
 53         <binding name="ClaimsAwareWcf.IService_ws2007FederationHttpBinding">
 54 
 55          <security mode="TransportWithMessageCredential">
 56 
 57             <message>
 58 
 59               <issuerMetadata address="https://nape-lab/Test/ClaimsKevinSTS/Service.svc/mex" />
 60 
 61               <issuer address="https://nape-lab/Test/ClaimsKevinSTS/Service.svc" />
 62 
 63               <claimTypeRequirements>
 64 
 65                 <add claimType="https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
 66 
 67                 <add claimType="https://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
 68 
 69               </claimTypeRequirements>
 70 
 71             </message>
 72 
 73           </security>
 74 
 75         </binding>
 76 
 77       </ws2007FederationHttpBinding>
 78 
 79     </bindings>
 80 
 81   </system.serviceModel>
 82 
 83   <microsoft.identityModel>
 84 
 85     <service name="ClaimsAwareWcf.Service">
 86 
 87       <audienceUris>
 88 
 89         <add value="https://nape-lab/Test/ClaimsAwareWcf/Service.svc" />
 90 
 91       </audienceUris>
 92 
 93       <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
 94 
 95         <trustedIssuers>
 96 
 97           <add thumbprint="C2E209589102D975A2807CA5D50BFC65FD67FEB5" <--------------------------------------- This cert matches the STSTestCert cert in STS
 98 
 99 name="https://nape-lab/Test/ClaimsKevinSTS/Service.svc" />
100 
101         </trustedIssuers>
102 
103       </issuerNameRegistry>
104 
105     </service>
106 
107   </microsoft.identityModel>
108 
109 
110 
111 

WCF client creation:

 

In order to create a WCF client, you will need to Add a Service Reference to your client project.

This will generate new tags in your config file.

You can modify them as follows:

 

Config file:

  1 <configuration>
 2 
 3     <system.serviceModel>
 4 
 5         <bindings>
 6 
 7             <ws2007FederationHttpBinding>
 8 
 9                 <binding name="WS2007FederationHttpBinding_IService">
10 
11                     <security mode="TransportWithMessageCredential">
12 
13                         <message>
14 
15                             <issuer address="https://nape-lab/Test/ClaimsKevinSTS/Service.svc/IWSTrust13"
16 
17 binding="ws2007HttpBinding" bindingConfiguration="ws2007" />
18 
19                             <issuerMetadata address="https://nape-lab/Test/ClaimsKevinSTS/Service.svc/mex" />
20 
21                             <tokenRequestParameters>
22 
23                                 <trust:SecondaryParameters xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">
24 
25                                     <trust:KeyType xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
26 
27                                     <trust:KeySize xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
28 
29                                     <trust:Claims Dialect="https://schemas.xmlsoap.org/ws/2005/05/identity"
30 
31 xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">
32 
33                                         <wsid:ClaimType Uri="https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
34 
35 Optional="true" xmlns:wsid="https://schemas.xmlsoap.org/ws/2005/05/identity" />
36 
37                                         <wsid:ClaimType Uri="https://schemas.microsoft.com/ws/2008/06/identity/claims/role"
38 
39 Optional="true" xmlns:wsid="https://schemas.xmlsoap.org/ws/2005/05/identity" />
40 
41                                     </trust:Claims>
42 
43                                     <trust:KeyWrapAlgorithm xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
44 
45                                     <trust:EncryptWith xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
46 
47                                     <trust:SignWith xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
48 
49                                     <trust:CanonicalizationAlgorithm xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
50 
51                                     <trust:EncryptionAlgorithm xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
52 
53                                 </trust:SecondaryParameters>
54 
55                             </tokenRequestParameters>
56 
57                         </message>
58 
59                     </security>
60 
61                 </binding>
62 
63             </ws2007FederationHttpBinding>
64 
65           <ws2007HttpBinding>
66 
67             <binding name="ws2007">
68 
69               <security mode="Message">
70 
71                 <message establishSecurityContext="false" />
72 
73               </security>
74 
75             </binding>
76 
77           </ws2007HttpBinding>
78 
79         </bindings>
80 
81         <client>
82 
83             <endpoint address="https://nape-lab/Test/ClaimsAwareWcf/Service.svc"
84 
85 binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IService"
86 
87 contract="ServiceClaimsRef.IService" name="WS2007FederationHttpBinding_IService" />
88 
89         </client>
90 
91     </system.serviceModel>
92 
93 </configuration>
94 
95 

 

Calling the service:

  1 static void Main(string[] args)
 2 
 3         {
 4 
 5                ServiceClient proxy = new ServiceClient();
 6 
 7                Console.WriteLine(proxy.GetData(20));
 8 
 9                Console.ReadKey();
10 
11         }
12