WCF Claims, STS and Federation – Layman’s View

| Comments

Configuring your Federation

I’m here to explain WCF claims in federated services using STS (security token service) from a layman’s perspective.  I’ve started with the set of configuration you have to put in place on web.config under system.serviceModel to make your service in federated way.  Instead of very boring textual explanation, I’m explaining in comic way. 

  

  

This is to be declared inside –> element of system.serviceModel section of web.config. 

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14

 

<wsFederationHttpBinding>
 <binding name="wsFed">
  <security mode="Message">
   <message issuedTokenType="<strong>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</strong>" negotiateServiceCredential="false">    
    <issuer address="<strong>http://udoozSTS/TokenService.svc</strong>" binding ="wsHttpBinding"  bindingConfiguration="udoozSTSBinding" >
     
    </issuer>
   </message>
  </security>
 </binding>
</wsFederationHttpBinding>
 

The is the place you have to tell where STS is hosted over which binding with appropriate binding configuration.  This service expects SAML 1.1 provided by udoozSTS.  Since, this is expected as part of request message, it has been declared in Message security mode. 

 

This is has to be declared in section of 

1
2
3
4
5
6
7
8
9
10
11
12

 

<identity>
         <certificateReference
              findValue="WCFServerKey"
              x509FindType="FindBySubjectName"
              storeLocation="LocalMachine"
              storeName="TrustedPeople" />
 

</identity>
 

  

This has to be declared in element under 

1
2
3
4
5
6

 

<claimTypeRequirements>
 <add claimType="http://schemas.udooz.net/2010/12/identity/claims/facebookId" isOptional="false"/>
 <add claimType="http://schemas.udooz.net/2010/12/identity/claims/orgName" isOptional="false"/>
</claimTypeRequirements> 

 The whole configuration  related to this as 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

</pre>
 <bindings>
 <wsFederationHttpBinding>
  <binding name="mrservice">
   <security mode="Message">
    <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false">
     <claimTypeRequirements>
      <add claimType="http://schemas.udooz.net/2010/12/identity/claims/facebookId" isOptional="false"/>
      <add claimType="http://schemas.udooz.net/2010/12/identity/claims/orgName" isOptional="false"/>
     </claimTypeRequirements>
     <issuer address="http://udoozSTS/TokenService.svc" binding ="wsHttpBinding"  bindingConfiguration="udoozSTSBinding" >
      <identity>
       <certificateReference
         findValue="WCFServerKey"
         x509FindType="FindBySubjectName"
         storeLocation="LocalMachine"
         storeName="TrustedPeople" />                 
      </identity>
     </issuer>
    </message>
   </security>
  </binding>
 </wsFederationHttpBinding>
<bindings>

The proofs are called as claims.  A collection of claims about a consumer provided by a identity provider (STS) with its identity is called as ClaimSet.

The comic was developed using .

To be continued…