Build an Active STS using WCF in .net 4.5 - wcf

I have a scenario whereby i need to build a WCF service to provide custom authentication to 3rd parties non-web application connecting in an "Active" mode - i.e. i cannot present a web login page.
The login mechanism is also custom (i.e. not necessarily username/password), and so i cannot use ADFS or ACS.
I have read up on building active STS using WCF, but they mostly relate to .NET 3.5 and not much has been written around using .NET 4.5 since WIF has been integrated into the framework.
I have read Examples of how to a STS in .Net 4.5 using WCF but it doesn't seem to fit my scenario.
Any pointers appreciated.

Maybe you want to have a look at
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
This is an open source STS that includes active endpoints.

Related

Create Custom STS service in VS2012 with .net 4.5

Since I'm new to WIF.
I want to create a custom STS on WIF, but these document only for .net 3.5:
http://msdn.microsoft.com/en-us/library/ee748498.aspx
and I can't find these template in vs 2012.
So what should I do? Can anybody provide some information to me ?
Thanks !
Writing a custom STS service is still available under WIF in .NET 4.5 or WIF 4.5 for short.
"To create an STS you must derive from the SecurityTokenService class. In your custom class you must, at a minimum, override the GetScope and GetOutputClaimsIdentity methods...", Microsoft 1
You start by deriving a new type from System.IdentityModel.SecurityTokenService.
Note that we now use the SecurityTokenService which is apart of .NET 4.5's System.IdentityModel and not the pre .NET 4.5 Microsoft.IdentityModel.
Please refer to the link below to see an example of a passive STS.
Microsoft's Federation Metadata example is a reasonably complete example of custom STS.
MSDN:
This sample will show you how to dynamically consume WS-Federation metadata at run time in an ASP.NET Web Application. You will also see how to create a basic STS that produces WS-Federation metadata and issues tokens.
In addition this sample shows the basics of how claims have been integrated into the .NET framework. You will learn how a web application is enabled to use WIF. You will see how they are useful from within existing properties and functions, and how you can take the next step to using them directly using the ClaimsPrincipal class in System.Security.Claims. You also will also learn how to work with the local STS that is part of the Identity and Access tool for Visual Studio 2012. Tell me more
[1] System.IdentityModel.SecurityTokenService
The templates have been replaced with the Identity and Access Tool.
Refer Windows Identity Foundation in the .NET Framework 4.5 Beta: Tools, Samples, Claims Everywhere
There is no custom STS facility option anymore in the sense of a wizard as per FedUtil. As other posts allude to, you can still roll your own.
Refer: What's New in Windows Identity Foundation 4.5.
Have a look at Identity Server which is a very good custom STS and alter as required.
If you're completely new then writing a custom STS might not be such a good idea :-) I would suggest having a look at the implementation given in ThinkTecture STS (https://github.com/thinktecture/Thinktecture.IdentityServer.v2) This is a sample STS that handles different tokens types (SAML, SWT and JWT) as well as different procotols (WSFederation, OAuth, ...) There is too much in here for many simple cases but at least the code works.

ASP.NET Client Application Services Authentication and WCF

I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.

Examples of how to a STS in .Net 4.5 using WCF

I'm looking for Examples of how to a STS in .Net 4.5 using WCF.
So the scenario is I have a MVC 4 web app that I want to write an STS to authenticate and get claims that stores its data in the traditional SqlMembershipProvider database schema that we all know and love.
I'm guessing the STS could be a simple WCF service.
I've googled around but can only find stuff that shows how to do all this when the WIF was separated from the Core Framework. I.e. before it was embedded in .Net 4.5
Writing your solution may not be as easy as you expect it to be. Have a look at https://github.com/thinktecture/Thinktecture.IdentityServer.v2 which is a .NET STS. I guess using it will suffice in your case and it is very actively developed.

Claims-based security in Silverlight 4

We are implementing a claims-based approach to security for our enterprise applications. I've been looking at the built-in support (with System.IdentityModel) as well as Windows Identity Foundation (WIF) but it doesn't look like either support Silverlight applications. I realize that SL4 doesn't support IPrincipal et al, but that shouldn't mean we can't still do claims-based auth.
Am I missing samples or documentation showing how to do so in SL4 or am I left to a home-grown solution?
I recently discovered that the latest version of the WIF Training Kit contains a sample application showing how to integrate WIF into a Silverlight client. It includes a version of the WIF IdentityModel code compiled against the Silverlight runtime. While not an ideal or even long-term solution, it gets me going.
Have a look at this by Dominic:
http://www.leastprivilege.com/UsingSilverlightToAccessWIFSecuredWCFServices.aspx
or this:
http://social.msdn.microsoft.com/Forums/en/Geneva/thread/fe890df3-8815-4d05-b293-d3c87f32e9e0

How do I invoke a WSE3.0 service to be deployed to Windows Server 2008?

One of our C# ASP.Net projects has some dependencies on the Microsoft WSE 3.0 library, in order to consume a WSE3.0 web service. However, we're migrating the project to Windows Server 2008, which does not support WSE3.0.
So I need to refactor the code to remove the dependency to WSE 3.0 but still maintain its functionality. The code is simply adding a username security token to the SOAP context and then invoking the web service. I'm not sure where to start though. I suspect I switch to WCF, and if so, is there any tutorial available online to help?
I'd start by creating a simple application, maybe a Console application, to be a test consumer of the existing web service. Create client proxy classes for this application by using "Add Service Reference", and pointing it to the existing WSE service. That should take care of most of the problems.
Once the simple console application works, you can do the same for your ASP.NET project.
Needless to say, it's way past time to update that WSE service to WCF, which is supported, and which will continue to be supported for a long time to come.
This article is a pretty good rundown of the differences between WSE 3.0 & WCF and migration recommendations. I'd start by getting the migrated service to run under the basicHttpBinding configuration (without user name/password authentication).
Once the service is running as expected and look at this article to see how to get the migrated service configured for user name/password authentication. The article is written for Silverlight use but there should be enough in it to get you going.