Atomia Identity

Configuring WCF to allow clients certificate based authentication

16 views 0

Step 1: Adding the reference to Microsoft.Identity.dll

Add the reference to Microsoft.Identity.dll in the WCF application.

Step 2: Adding the microsoft.Identity configuration

Add the microsoft.Identity config section in the WCF application’s web.config file:

<configSections>
....
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
....
</configSections>

Step 3: Adding a new configuration section to web.cofig

Add a new section in the WCF application’s web.config file within the configuration section:

<microsoft.identityModel>
<service>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=UCP Authorization Service" thumbprint="72071a7a2b933bd5b73bbb4b026c575ccb2d2ca4"/>
</trustedIssuers>
</issuerNameRegistry>
<securityTokenHandlers>
<remove type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<samlSecurityTokenRequirement audienceUriMode="Never">
<nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/>
<roleClaimType value="http://schemas.troxo.com/ucp/2009/04/ucpcore/claims/groups"/>
</samlSecurityTokenRequirement>
</add>
</securityTokenHandlers>
</service>
</microsoft.identityModel>

Change the following properties in the above example:

XML SECTION PROPERTY DESCRIPTION EXAMPLE
issuerNameRegistry -> trustedIssuer name CN value of the trusted application that issued the token CN=UCP Authorization Service
issuerNameRegistry -> trustedIssuer thumbprint Thumbprint of the certificate from the trusted application that issued the token 72071a7a2b933bd5b73bbb4b026c575ccb2d2ca4
securityTokenHandlers type The class(with assembly info) that is handling the STS token Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
securityTokenHandlers-> samlSecurityTokenRequirement nameClaimType ,roleClaimTypes List of claims that are contained in the token
<nameClaimType value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/>
<roleClaimTypes>
<add value="http://schemas.troxo.com/ucp/2009/04/ucpcore/claims/groups"/>
</roleClaimTypes>

Step 4: Adding a new service section to web.config

Add a section in the WCF application’s web.config file within the <system.serviceModel> section:

&lt;services&gt;
&lt;service behaviorConfiguration=&quot;UCPAuthPrototype.TestService.CoreServiceBehavior&quot;
name=&quot;UCPAuthPrototype.TestService.CoreService&quot;&gt;
&lt;endpoint address=&quot;&quot; binding=&quot;wsFederationHttpBinding&quot; contract=&quot;UCPAuthPrototype.TestService.ICoreService&quot; bindingConfiguration=&quot;STSBindingConfiguration&quot;&gt;
&lt;/endpoint&gt;
&lt;endpoint address=&quot;mex&quot; binding=&quot;mexHttpBinding&quot; contract=&quot;IMetadataExchange&quot; /&gt;
&lt;host&gt;
&lt;baseAddresses&gt;
&lt;add baseAddress=&quot;http://localhost:8700/CoreService/&quot; /&gt;
&lt;/baseAddresses&gt;
&lt;/host&gt;
&lt;/service&gt;
&lt;/services&gt;
&lt;bindings&gt;
&lt;wsFederationHttpBinding&gt;
&lt;binding name=&quot;STSBindingConfiguration&quot;  &gt;
&lt;security mode=&quot;Message&quot;&gt;
&lt;message issuedKeyType=&quot;SymmetricKey&quot; issuedTokenType=&quot;&quot;&gt;
&lt;claimTypeRequirements&gt;
&lt;add claimType=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name&quot; isOptional=&quot;false&quot;/&gt;
&lt;add claimType=&quot;http://schemas.microsoft.com/ws/2006/04/identity/claims/role&quot; isOptional=&quot;true&quot;/&gt;
&lt;/claimTypeRequirements&gt;
&lt;issuer address=&quot;http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/cert/&quot; /&gt;
&lt;issuerMetadata address=&quot;http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/mex&quot; /&gt;
&lt;/message&gt;
&lt;/security&gt;
&lt;/binding&gt;
&lt;/wsFederationHttpBinding&gt;
&lt;/bindings&gt;
&lt;behaviors&gt;
&lt;serviceBehaviors&gt;
&lt;behavior name=&quot;UCPAuthPrototype.TestService.CoreServiceBehavior&quot;&gt;
&lt;serviceMetadata httpGetEnabled=&quot;true&quot; /&gt;
&lt;serviceDebug includeExceptionDetailInFaults=&quot;true&quot; /&gt;
&lt;serviceAuthorization principalPermissionMode=&quot;None&quot;/&gt;
&lt;serviceCredentials&gt;
&lt;issuedTokenAuthentication allowUntrustedRsaIssuers=&quot;false&quot; certificateValidationMode=&quot;PeerTrust&quot;  audienceUriMode=&quot;Never&quot; revocationMode=&quot;Online&quot; trustedStoreLocation=&quot;LocalMachine&quot;&gt;
&lt;knownCertificates&gt;
&lt;add findValue=&quot;UCP Authorization Service&quot; storeLocation=&quot;LocalMachine&quot; storeName=&quot;TrustedPeople&quot; x509FindType=&quot;FindBySubjectName&quot;/&gt;
&lt;/knownCertificates&gt;
&lt;/issuedTokenAuthentication&gt;
&lt;serviceCertificate storeLocation=&quot;LocalMachine&quot; storeName=&quot;My&quot; x509FindType=&quot;FindBySubjectName&quot; findValue=&quot;UCP Core&quot;/&gt;
&lt;/serviceCredentials&gt;
&lt;/behavior&gt;
&lt;/serviceBehaviors&gt;
&lt;/behaviors&gt;

Let’s explain the service , bindings and behaviors sections separately – let’s start from the bindings section:

&lt;bindings&gt;
&lt;wsFederationHttpBinding&gt;
&lt;binding name=&quot;STSBindingConfiguration&quot;  &gt;
&lt;security mode=&quot;Message&quot;&gt;
&lt;message issuedKeyType=&quot;SymmetricKey&quot; issuedTokenType=&quot;&quot;&gt;
&lt;claimTypeRequirements&gt;
&lt;add claimType=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name&quot; isOptional=&quot;false&quot;/&gt;
&lt;add claimType=&quot;http://schemas.microsoft.com/ws/2006/04/identity/claims/role&quot; isOptional=&quot;true&quot;/&gt;
&lt;/claimTypeRequirements&gt;
&lt;issuer address=&quot;http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/cert/&quot; /&gt;
&lt;issuerMetadata address=&quot;http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/mex&quot; /&gt;
&lt;/message&gt;
&lt;/security&gt;
&lt;/binding&gt;
&lt;/wsFederationHttpBinding&gt;
&lt;/bindings&gt;

The binding defines the way of communication between the WCF service and the Web application that wants to use the WCF service. This element holds a collection of standard and custom bindings which are is identified by their name. So, the communication will be done through wsFederationHttpBinding – a binding that supports WS-Federation.

These are the settings that can be changed in the above section:

XML SECTION PROPERTY DESCRIPTION EXAMPLE
wsFederationHttpBinding -> binding name Binding identifier STSBindingConfiguration
message {{claimTypeRequirements }} The list of claims the web application needs to provide in order to use the WCF service
&lt;add claimType=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name&quot; isOptional=&quot;false&quot;/&gt;
&lt;add claimType=&quot;http://schemas.microsoft.com/ws/2006/04/identity/claims/role&quot; isOptional=&quot;true&quot;/&gt;
message -> issuer address The address of the STS where the web application should obtain the claims from http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/cert/
message -> issuerMetadata address The address of the STS’s metadata http://localhost:50680/AtomiaIdentityStS/AtomiaSts.svc/mex

The behavior section defines behavior elements consumed by services. Each behavior element is identified by its unique name attribute.

&lt;behaviors&gt;
&lt;serviceBehaviors&gt;
&lt;behavior name=&quot;UCPAuthPrototype.TestService.CoreServiceBehavior&quot;&gt;
&lt;serviceMetadata httpGetEnabled=&quot;true&quot; /&gt;
&lt;serviceDebug includeExceptionDetailInFaults=&quot;true&quot; /&gt;
&lt;serviceAuthorization principalPermissionMode=&quot;None&quot;/&gt;
&lt;serviceCredentials&gt;
&lt;issuedTokenAuthentication allowUntrustedRsaIssuers=&quot;false&quot; certificateValidationMode=&quot;PeerTrust&quot;  audienceUriMode=&quot;Never&quot; revocationMode=&quot;Online&quot; trustedStoreLocation=&quot;LocalMachine&quot;&gt;
&lt;knownCertificates&gt;
&lt;add findValue=&quot;UCP Authorization Service&quot; storeLocation=&quot;LocalMachine&quot; storeName=&quot;TrustedPeople&quot; x509FindType=&quot;FindBySubjectName&quot;/&gt;
&lt;/knownCertificates&gt;
&lt;/issuedTokenAuthentication&gt;
&lt;serviceCertificate storeLocation=&quot;LocalMachine&quot; storeName=&quot;My&quot; x509FindType=&quot;FindBySubjectName&quot; findValue=&quot;UCP Core&quot;/&gt;
&lt;/serviceCredentials&gt;
&lt;/behavior&gt;
&lt;/serviceBehaviors&gt;
&lt;/behaviors&gt;

We can customize these settings:

XML SECTION PROPERTY DESCRIPTION EXAMPLE
serviceBehaviors -> behavior name Behavior identifier UCPAuthPrototype.TestService.CoreServiceBehavior
issuedTokenAuthentication -> knownCertificates findValue A string in the X.509 certificate store that contains the certificate used by the STS for signing and encrypting the tokens issued to web application (so the WCF service can authenticate the web application) UCP Authorization Service
serviceCertificate findValue A string in the X.509 certificate store that contains the certificate used for signing and encrypting messages from a web application to the WCF service UCP Core

Finally, the service section contains the settings for a Windows Communication Foundation (WCF) service. It also contains endpoints that expose the service.

&lt;service behaviorConfiguration=&quot;UCPAuthPrototype.TestService.CoreServiceBehavior&quot;
name=&quot;UCPAuthPrototype.TestService.CoreService&quot;&gt;
&lt;endpoint address=&quot;&quot; binding=&quot;wsFederationHttpBinding&quot; contract=&quot;UCPAuthPrototype.TestService.ICoreService&quot; bindingConfiguration=&quot;STSBindingConfiguration&quot;&gt;
&lt;/endpoint&gt;
&lt;endpoint address=&quot;mex&quot; binding=&quot;mexHttpBinding&quot; contract=&quot;IMetadataExchange&quot; /&gt;
&lt;host&gt;
&lt;baseAddresses&gt;
&lt;add baseAddress=&quot;http://localhost:8700/CoreService/&quot; /&gt;
&lt;/baseAddresses&gt;
&lt;/host&gt;
&lt;/service&gt;

These settings need to be customized so the service will use the binding ad behavior defined above:

XML SECTION PROPERTY DESCRIPTION EXAMPLE
service name Specifies the type of the service to be instantiated. The format should be Namespace.Class. UCPAuthPrototype.TestService.CoreService
service behaviorConfiguration A string that contains the behavior name of the behavior to be used to instantiate the service UCPAuthPrototype.TestService.CoreServiceBehavior
host baseAddress A string that specifies a base address used by the service host. http://localhost:8700/CoreService/
endpoint binding Specifies the type of binding to use. wsFederationHttpBinding
endpoint bindingConfiguration A string that specifies the binding name of the binding to use when the endpoint is instantiated STSBindingConfiguration

Was this helpful?