Step 1: Adding the reference to Microsoft.Identity.dll
Add the reference to Microsoft.Identity.dll in the WCF application.
Step 2: Adding the microsoft.Identity configuration
Add the microsoft.Identity config section in the WCF application’s web.config file:
<configSections> .... <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> .... </configSections>
Step 3: Adding a new configuration section to web.cofig
Add a new section in the WCF application’s web.config file within the configuration section:
<microsoft.identityModel> <service> <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add name="CN=UCP Authorization Service" thumbprint="72071a7a2b933bd5b73bbb4b026c575ccb2d2ca4"/> </trustedIssuers> </issuerNameRegistry> <securityTokenHandlers> <remove type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <samlSecurityTokenRequirement audienceUriMode="Never"> <nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/> <roleClaimType value="http://schemas.troxo.com/ucp/2009/04/ucpcore/claims/groups"/> </samlSecurityTokenRequirement> </add> </securityTokenHandlers> </service> </microsoft.identityModel>
Change the following properties in the above example:
| XML SECTION | PROPERTY | DESCRIPTION | EXAMPLE |
| issuerNameRegistry -> trustedIssuer | name |
CN value of the trusted application that issued the token | CN=UCP Authorization Service |
| issuerNameRegistry -> trustedIssuer | thumbprint |
Thumbprint of the certificate from the trusted application that issued the token | 72071a7a2b933bd5b73bbb4b026c575ccb2d2ca4 |
| securityTokenHandlers | type |
The class(with assembly info) that is handling the STS token | Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 |
| securityTokenHandlers-> samlSecurityTokenRequirement | nameClaimType ,roleClaimTypes |
List of claims that are contained in the token |
<nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/> <roleClaimTypes> <add value="http://schemas.troxo.com/ucp/2009/04/ucpcore/claims/groups"/> </roleClaimTypes> |
Step 4: Adding a new service section to web.config
Add a section in the WCF application’s web.config file within the <system.serviceModel> section:
<services> <service behaviorConfiguration="UCPAuthPrototype.TestService.CoreServiceBehavior" name="UCPAuthPrototype.TestService.CoreService"> <endpoint address="" binding="wsFederationHttpBinding" contract="UCPAuthPrototype.TestService.ICoreService" bindingConfiguration="STSBindingConfiguration"> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="http://localhost:8700/CoreService/" /> </baseAddresses> </host> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="STSBindingConfiguration" > <security mode="Message"> <message issuedKeyType="SymmetricKey" issuedTokenType=""> <claimTypeRequirements> <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/> <add claimType="http://schemas.microsoft.com/ws/2006/04/identity/claims/role" isOptional="true"/> </claimTypeRequirements> <issuer address="http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/cert/" /> <issuerMetadata address="http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/mex" /> </message> </security> </binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="UCPAuthPrototype.TestService.CoreServiceBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> <serviceAuthorization principalPermissionMode="None"/> <serviceCredentials> <issuedTokenAuthentication allowUntrustedRsaIssuers="false" certificateValidationMode="PeerTrust" audienceUriMode="Never" revocationMode="Online" trustedStoreLocation="LocalMachine"> <knownCertificates> <add findValue="UCP Authorization Service" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/> </knownCertificates> </issuedTokenAuthentication> <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="UCP Core"/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors>
Let’s explain the service , bindings and behaviors sections separately – let’s start from the bindings section:
<bindings> <wsFederationHttpBinding> <binding name="STSBindingConfiguration" > <security mode="Message"> <message issuedKeyType="SymmetricKey" issuedTokenType=""> <claimTypeRequirements> <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/> <add claimType="http://schemas.microsoft.com/ws/2006/04/identity/claims/role" isOptional="true"/> </claimTypeRequirements> <issuer address="http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/cert/" /> <issuerMetadata address="http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/mex" /> </message> </security> </binding> </wsFederationHttpBinding> </bindings>
The binding defines the way of communication between the WCF service and the Web application that wants to use the WCF service. This element holds a collection of standard and custom bindings which are is identified by their name. So, the communication will be done through wsFederationHttpBinding – a binding that supports WS-Federation.
These are the settings that can be changed in the above section:
| XML SECTION | PROPERTY | DESCRIPTION | EXAMPLE |
| wsFederationHttpBinding -> binding | name |
Binding identifier | STSBindingConfiguration |
| message | {{claimTypeRequirements }} | The list of claims the web application needs to provide in order to use the WCF service |
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/> <add claimType="http://schemas.microsoft.com/ws/2006/04/identity/claims/role" isOptional="true"/> |
| message -> issuer | address |
The address of the STS where the web application should obtain the claims from | http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/cert/ |
| message -> issuerMetadata | address |
The address of the STS’s metadata | http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/mex |
The behavior section defines behavior elements consumed by services. Each behavior element is identified by its unique name attribute.
<behaviors> <serviceBehaviors> <behavior name="UCPAuthPrototype.TestService.CoreServiceBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> <serviceAuthorization principalPermissionMode="None"/> <serviceCredentials> <issuedTokenAuthentication allowUntrustedRsaIssuers="false" certificateValidationMode="PeerTrust" audienceUriMode="Never" revocationMode="Online" trustedStoreLocation="LocalMachine"> <knownCertificates> <add findValue="UCP Authorization Service" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/> </knownCertificates> </issuedTokenAuthentication> <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="UCP Core"/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors>
We can customize these settings:
| XML SECTION | PROPERTY | DESCRIPTION | EXAMPLE |
| serviceBehaviors -> behavior | name |
Behavior identifier | UCPAuthPrototype.TestService.CoreServiceBehavior |
| issuedTokenAuthentication -> knownCertificates | findValue |
A string in the X.509 certificate store that contains the certificate used by the STS for signing and encrypting the tokens issued to web application (so the WCF service can authenticate the web application) | UCP Authorization Service |
| serviceCertificate | findValue |
A string in the X.509 certificate store that contains the certificate used for signing and encrypting messages from a web application to the WCF service | UCP Core |
Finally, the service section contains the settings for a Windows Communication Foundation (WCF) service. It also contains endpoints that expose the service.
<service behaviorConfiguration="UCPAuthPrototype.TestService.CoreServiceBehavior" name="UCPAuthPrototype.TestService.CoreService"> <endpoint address="" binding="wsFederationHttpBinding" contract="UCPAuthPrototype.TestService.ICoreService" bindingConfiguration="STSBindingConfiguration"> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="http://localhost:8700/CoreService/" /> </baseAddresses> </host> </service>
These settings need to be customized so the service will use the binding ad behavior defined above:
| XML SECTION | PROPERTY | DESCRIPTION | EXAMPLE |
| service | name |
Specifies the type of the service to be instantiated. The format should be Namespace.Class. | UCPAuthPrototype.TestService.CoreService |
| service | behaviorConfiguration |
A string that contains the behavior name of the behavior to be used to instantiate the service | UCPAuthPrototype.TestService.CoreServiceBehavior |
| host | baseAddress |
A string that specifies a base address used by the service host. | http://localhost:8700/CoreService/ |
| endpoint | binding |
Specifies the type of binding to use. | wsFederationHttpBinding |
| endpoint | bindingConfiguration |
A string that specifies the binding name of the binding to use when the endpoint is instantiated | STSBindingConfiguration |