I am studying brokered authentication, federation etc. On all the blogs, it's mentioned that there is a "trust" between Security Token Service and other web services. However, I could not find a blog which explains how to establish that trust.
Questions:
Which thing makes other web services trust the STS? i.e. how do we establish trust between STS and other web services?
How do other web services verify that the security token is issued by the STS they trust, and not by some other STS?
I understand that various technologies would be doing it in different manner. It would be good if someone explains how it happens in the .NET world (using WCF, Windows Identity Foundation etc.).
It's done using the X509 Certificate.
SecurityTokenService (STS) "signs the SAML token" using a certificate which is trusted by other services too. So the trust is established using the common thing, i.e. the certificate, which STS, and other services also trust!
While calling other web services, SAML token issued by the STS is sent through the SOAP header. If the SAML token is signed by the certificate your other service trusts, then your service understands that the token is issued by the 'trusted' STS.
In Windows Identity Foundation, you can configure the signing certificate for STS.
In case of other web services, the trusted certificate can be configured in the Service Host using ServiceCredential class.
Related
Microsoft Graph API and Dynamics Web Services both support certificate authentication with client credentials flow.
Are there any security concerns in "Authenticated Users" having read access to the private key of the authentication certificate stored on the IIS server? The private key is not exportable.
Are there any security concerns in using the same certificate for both SSL of the IIS site and the client credentials flow authentication?
I think there's a gap in my mental model of WCF authentication, hoping someone can help me fill it in.
So, I'm creating a WCF service and would like to have clients authenticate using certificates, and message-level security. I'd like the service to validate these using chain trust so that I don't need each client cert installed on the service. For now, I'm not interested in having the service authenticate to the client.
Here's my understanding of what's needed to do this:
The client needs a certificate signed by a CA that's trusted on the service side.
The service needs a CRL installed for that CA.
The service config should have message security turned on, specify clientCredentialType="Certificate", and chain trust for client certificate validation.
The client config should have message security turned on, specify clientCredentialType="Certificate", and an endpoint behavior that tells how to find the client certificate in the store.
The client makes a request to the service, sending its certificate. The service sees that the client's cert is signed by its trusted CA and lets the request through.
Now, all of the walkthroughs of this process I've found also include a step of creating a certificate for the service. None of them explain what this is for, which is throwing me. Why is a service certificate needed if I just want to authenticate the clients?
You are right. In theory no server certificate is required, in practice wcf enforce you to use one. The good news is that you should use a dummy certificate for the server and also set ProtectionLevel to SignOnly. I suggest to read this article which talks on a similar scenario and mostly relevant.
Do not really know how x509 works.
If I have a Web Service that needs to authenticate and validate the client, and he uses a ClientCertificate, could he send me some information that I could then validate against?
I do not create the Web Site itself so I can't be sure they would do it right. I don't wan't to allow someone to say to the Web Service "It's okay, I ClientCertificated him and he's good".
You can implement your own custom client certificate validator but its usage will be different based on the way how do you use the client certificate. If you use pure message security your validator will be the only component used to validate the certificate. If you use HTTPS with client certificate (transport security) the certificate will be first validated by Windows (= your service hosting server must trust the certificate) and after that it will be passed to WCF and validated by your validator.
I have two WCF Services using WsHttpBinding with transport security mutual certificate authentication that are being hosted on the same windows server. Clients that can access one WCF service should not have access to the other WCF service. I need some help on configuring the client certificates on the windows host. The client certificates are signed by trusted CAs and the intermediate and root certificate chain is already installed on the the server. It seems like the service automatically relies on chain of trust and does not require the actual client certificates installed on the server at all before letting the client access the service - this is not the behavior I want. Can someone please tell me how I should be configuring these client certificates in order explicitly allow access to one service and not the other?
Thanks.
That has nothing to do with certificates themselves. When using mutual SSL authentication certificates are used only to authenticate client and the authentication is done outside of your application (this is difference to message security where you can create custom certificate validator). Once certificate is trusted client is automatically authenticated to anything on the server using certificates for authentication.
You are looking for authorization - the step where you define what can authenticated client do with your service. You can either hardcode your authorization logic into your service by using role based security or you can implement two custom ServiceAuthorizationManagers and assign each to single service.
I am hosting a secured WCF service (transport level security) which needs to authenticate users with third party client certificates. To accept those client certificates, I have binded my IIS7 with third party Server Certificate. Theoretically speaking this should work perfectly. But it is not, It continues to give error as
The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Does anyone having idea on how to make it possible in this case?
Check out the WCF Security Guidance on Codeplex - they have tons of How-To's and extensive coverage and step-by-step explanations for all things WCF security related.
The one How-To most interesting to you would probably be:
How To – Use Certificate Authentication and Message Security in WCF