I've set up a ACS domain with a Relaying Party to Authenticate a WCF Service. On my client (website), I want to link to the Hosted Login Page that ACS provides for my Relaying Party. I have the Return URL configured to respond to the same page, but whenever it returns the page currently throws this error:
A potentially dangerous Request.Form value was detected from the
client (wresult="<t:RequestSecurityTo...")
How to do retrieve this SWT token and parse it to send off to the WCF service?
The ASP.NET request validation feature is kicking in here (because of the angle brackets). Either turn off request validation for the page or when on .NET 4.5 you can set the request validation mode in web.config to 4.5.
Or use this: http://leastprivilege.com/2010/07/24/wif-asp-net-4-0-and-request-validation/
I would also recommend using SAML instead of SWT. Since this is what WCF understands by default.
Related
Creating simple asp.net core 2.0 web api application (RESTful services only) that uses windows authentication. In my controller I defined a simple test method which just returns the username (json format). When I used a restful client such as fiddler and invoke this method, e.g. http://localhost/webapi/testservice, I get a 401 Unauthorized error. However when I put that url in a Web browser, it invokes successfully and returns the user back.
My question is, why does invoking the service work on the browser but not in a REST client like Fiddler? Is there an additional header I need to add in the client when invoking the service?
I have a web service running outside of .net that I need to invoke from a .NET client.
I was given a .NET client written in Visual Basic to test with.
The .NET client can access the web service with a clear-text SOAP message using basicHttpBinding.
I can configure a policy/binding for the external web service to use the Kerberos token for Message Level Protection and authentication. I can access this web service from the .NET client by modifying the configuration file to use wsHttpBinding.
Now, the requirement is to use the Kerberos token for authentication only and not sign/encrypt the SOAP message. That is, I only need the tags in the SOAP header. I have this configuration working on the external web service, but now I want to modify the configuration file so the .NET client only sends the and does not sign/encrypt any part of the SOAP message.
Is it possible to modify the .net client's .config file to do this?
My understanding is that basicHttpBinding can not be modified to use a Kerberos token (only UserName/Certificate).
I've tried disabling signing/encryption in wsHttpBinding via an attribute such as "defaultProtectionLevel=Sign/SignEncrypt/None", but this isn't available in wsHttpBinding (or I can't find it). I can only disable or enable message level protection and authentication with .
I've also tried building a customBinding, but can not disable signing/encryption and use the Kerberos token for authentication only.
Does anyone have a solution or some tips that could point me in the right direction to go about solving the above issues?
I'm beginning to have doubts as to if this is possible but I'm hoping that someone out there has a deeper understanding of the mechanics than I do.
We are planning to host a pure javascript form in a SharePoint site that is secured using ADFS. This form needs to make calls to a WCF REST service. We want to be able to use the same FedAuth cookie / SAML token issued to the user from ADFS in the WCF service for authentication but so far I have not really found a way to pass it using javascript.
So to break it down, how do you call a WIF / SAML secured WCF REST service from javascript?
When i try to invoke a WCF service from an asp.net application (RP) which is authenticated by another asp.net application(IP) , I'm getting an error message with content of Login page (It is trying to reach the login page because it could not authenticate the request).
Identity Provider : _http://localhost/AuthenticatonWS/Login.aspx
Relying party Website : _http://localhost/RPWebsite/Default.aspx
WCF Service : _http://localhost/RPWebsite/Service1.svc
(In my solution I'm calling service1.svc from default.aspx.cs)
I don't want the service to be anonymous. Currently the site (RPWebsite) uses STS and trusts local Identity provider, but in production it can trust any external identity provider thru ADFS.
Can any one guide me how i can pass the token information to the service from aspx page, I did try several examples from internet but i could not get it working.
The problem could very well be that the RPWebsite uses ClaimsAuthorizationModule in <system><httpModules> or <system.webserver><modules> in web.config. This causes any web service call to be redirected to the STS for authentication, as if it were an interactive browser request, as you observed.
Alternatively, this module can be added in the WIF-specific section of web.config, that is, in <microsoft.identityModel><service>, and in this case this module is only used for claims-based WCF web service calls. You add it in the following form: <claimsAuthorizationManager type="MyNamespace.CustomClaimsAuthenticationManager, MyAssembly"/>. (This type must extend ClaimsAuthorizationManager, as described in the WIF documentation page "ClaimsAuthenticationManager, ClaimsAuthorizationManager, and OriginalIssuer".)
Reference: Vittorio Bertocci, "Programming WIF", p. 43.
I think there are several options:
Using Persistent Authentication Cookies that support multiple client sessions. Or support sharing session between your RP and WCF service, so that WCF can re-utilized the authentication cookies issued for RP when RP makes a call to WCF service. To be honest, I have never tried to implement this in action. It is just my theory.
Create an separate authentication service which require no user-interaction (such as entering username/password). And then you have plenty of way to call WCF from your RP:
From your RP, ask the authentication service to issue a token for WCF; attach the token into request header of WCF call (e.g.: Authorization); then call WCF service. This requires a custom HttpModule to accept custom request header containing token at WCF service.
From your RP, you can also store UserName/Password, or an unique user identity claim which could identify the user; attach those information into request header of WCF call (e.g.: Authorization); then call WCF service. This also requires custom HttpModule to accept custom request header at WCF service.
I would recommend the second option, which you could find more useful information and guideline from Dominick Baier's blog.
Just my 2 cents.
I have this existing environment:
1) ASP.NET 3.5 web application
2) forms authentication with the SqlMembershipProvider
I need to add the following:
1) a Silverlight charting object embedded in a web page.
2) a WCF service to be consumed by:
a) the Silverlight component embedded in an authenticated
web page, as mentioned above
b) server-based WCF clients with certificate based authentication
My question is - what is the easiest/best way to configure the WCF endpoints for the Silverlight object to authenticate to the WCF service using the security context of the already logged-in user (via the page that’s hosting the Silverlight object) without having to use the user's username/password again?
I've researched a lot of the MSDN and Patterns & Practices material and I thought I had a decent grasp of many of the potential authentication scenarios. But I can't seem to figure out a way to tie them together for the scenario I've outlined. I've found other people posting similar questions to mine but none of the answers I've read seem to fully answer their questions either. (Maybe I'm making this harder than it needs to be?)
I would think that the solution would be to somehow use the authentication token/cookie generated in the asp.net form login and somehow pass that to the Silverlight object which then includes it in the WCF request. But I don't see how to configure the WCF endpoint to use that token.
(In some of my other projects I've implemented the server-to-server scenario in 2.b above using certificate-based authentication, so I'm not too worried about adding that to the current mix I've outlined.)
Thanks in advance for any insight or pointers to the path forward.
Terry
Thanks codemeit for trying to help but I finally figured out what I was doing wrong - it was pilot error.
In trying to configure the endpoints for my Silverlight app I was testing with an asp.net page. I finally realized that when I test that way, the client endpoint is no longer originating from the authenticated browser - the client endpoint is the IIS server which in turn executes the request against the WCF server endpoint. So the security context changes and HttpContext.Current.User.Identity is always empty at the WCF server endpoint.
Once I got my test SL app running in the browser, it automatically inherited the security context of the authenticated browser and then HttpContext.Current.User.Identity was correct and authenticated at the WCF server endpoint.
Have you tried to enable your WCF services with aspNet compatibility, then see if the following is true.
string currentUserName = HttpContext.Current.User.Identity.Name;
bool isLoggedIn = HttpContext.Current.User.Identity.IsAuthenticated;
if these properties are being populated with the expected values, then this is the one you are after.
To enable aspNet Compatibility
add to web.config
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
add to the service impl class
[AspNetCompatibilityRequirements
(RequirementsMode=AspNetCompatibilityRequirementsMode.Required)]
In this case, the endpoint would be using basicHttpBinding, and you could check the authentication at run time within WCF.