We Keep Coding

<security> tag requirement in consuming WCF with SAML token and using Federation binding

we have STS service whihc provides SAML token within the organization for security reasons all apps should get this token. I am buiulding a WCF service which should accept a SAML token and validate the same before serving the request.
So far I have setup a Federationbinding [not sure though its intended requirement as my service serves only interal/intranet apps within the firewall. I managed to to hit my WCF by using SOAP UI and get the response as well while debugging. but, the strange thing is in the request I had to mask my SAML under security tag else it never works; I am wondering ius there any workaroun for this or this is intended use. as the Java clients will be consuming my WCF service.
<?xml version="1.0" ?>
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.30319.17929, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
<add key="EncryptionCertificateName" value="xxxx" />
<add key="AssertionSignatureCertificateName" value="xxxx" />
<add key="EnablePerformanceLog" value="false" />
<add key="Logging.Level" value="0" />
<add key="Logging.Active" value="True" />
</appSettings>
<runtime>
<gcServer enabled="true" />
<generatePublisherEvidence enabled="false" />
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="NHibernate" publicKeyToken="aa95f207798dfdb4" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.3.1.4000" newVersion="3.3.1.4000" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.web>
<compilation debug="true" targetFramework="4.5" optimizeCompilations="true" batch="true" maxConcurrentCompilations="8" />
<httpRuntime targetFramework="4.5" minFreeThreads="10" minLocalRequestFreeThreads="10" requestValidationMode="2.0" />
</system.web>
<system.net>
<defaultProxy enabled="false">
<proxy usesystemdefault="False" bypassonlocal="True" autoDetect="False" />
</defaultProxy>
<connectionManagement>
<add address="*" maxconnection="5000" />
</connectionManagement>
</system.net>
<system.serviceModel>
<diagnostics performanceCounters="All">
<messageLogging logMalformedMessages="true" logMessagesAtTransportLevel="true" />
<endToEndTracing propagateActivity="true" messageFlowTracing="true" />
</diagnostics>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceCredentials useIdentityConfiguration="true" />
<serviceAuthorization principalPermissionMode="Always" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<serviceActivations>
<add relativeAddress="Service.svc" service="XX.XXX.BusinessService.Service.VaultService" factory="XX.XXXX.BusinessService.Service.WcfServiceFactory" />
</serviceActivations>
</serviceHostingEnvironment>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007Binding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey" issuedTokenType="urn:oasis:names:tc:SAML:2.0:assertion" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<services>
<service name="XX.XXXX.BusinessService.Service.Service">
<host>
<baseAddresses>
<add baseAddress="https://localhost/XX.XXX.BusinessService.Service/" />
</baseAddresses>
</host>
<endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007Binding" contract="XX.XXXX.Contract.Service.ServiceContract.IService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="false" />
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="NHibernate" publicKeyToken="aa95f207798dfdb4" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.3.1.4000" newVersion="3.3.1.4000" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<!--<audienceUris>
<add value="VaultService.svc"/>
</audienceUris>-->
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add name="XX-XX-XX" thumbprint="XXX" />
</trustedIssuers>
</issuerNameRegistry>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<add type="XX.XXX.Extension.Security.MySecurityTokenHandler, XXX.XXX.Extension" />
</securityTokenHandlers>
<claimsAuthenticationManager type="XX.XXXX.Extension.Security.ClaimsAuthenticationManager, XX.XXXX.Extension" />
</identityConfiguration>
</system.identityModel>
<location path="health-check.axd">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</location>
</configuration>
the sample request that works from SOAP UI:
<soap:Envelope xmlns:soa="http://XXX.com.au/soa" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ing="http://schemas.datacontract.org/2004/07/XXX.Contract.Vault.DataContract" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IService1/DoWork</a:Action>
<a:MessageID>urn:uuid:b48f6fa8-f5f2-48d8-a06b-1a202c71ed30</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1"></a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-10-26T10:47:54.721Z</u:Created>
<u:Expires>2015-10-26T10:53:54.721Z</u:Expires>
</u:Timestamp>
<Assertion ID="_e058ad04-1d5e-47cf-9fbc-d65aecfaf9ef" IssueInstant="2015-10-24T06:22:37.086Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">...</Assertion>
</o:Security>
</soap:Header>
<soap:Body>
....
.....
</soap:Body>
</soap:Envelope>
you see that here the SAML assertion included under tag, if I remove this then service will not work says security message header not present error.

this seems to be security tag required since I am using federation binding and Identity model for tokens. anyway java service was able to consume the service after they wrap token in genrericXMLtoken which generates the security tag.

Issues creating client for WCF Service using Federation

After modifying my service to use federation (see web.config below) I'm having trouble on my client getting it connected. In all that I have read it seems I should be able to just create
var client = new MyService()
and then set username and password on that credential and then WCF takes care of the STS token stuff, but I do not have a constructor that takes 0 arguments, I only have one that takes a binding and endpoint address. I do not see a way to create the binding manually and would just like to use it the default way, before when I was just using a basicHTTPBinding with Https I was able to create the client with the default constructor I don't see why this does not follow same logic.
The service has web.config as such:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<listeners>
<add type="Microsoft.WindowsAzure.Diagnostics.DiagnosticMonitorTraceListener, Microsoft.WindowsAzure.Diagnostics, Version=2.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" name="AzureDiagnostics">
<filter type="" />
</add>
</listeners>
</trace>
</system.diagnostics>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<machineKey decryption="AES" decryptionKey="[DecrpytKey]" validation="SHA1" validationKey="[ValidationKey]" />
</system.web>
<system.serviceModel>
<services>
<service name="MyService">
<endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="wsFedBinding" contract="MyService.IMyService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://myservice.cloudapp.net/MyService.svc" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<wsFederationHttpBinding>
<binding name="wsFedBinding">
<security mode="TransportWithMessageCredential">
<message>
<issuer address="http://mysts.com"/>
<issuerMetadata address="https://mysts.com/adfs/services/trust/mex" />
<claimTypeRequirements>
<add claimType="http://mysts.com/user/UserDomain" isOptional="true"/>
<add claimType="http://mysts.com/user/Alias" isOptional="true"/>
</claimTypeRequirements>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials useIdentityConfiguration="true">
<!--Certificate added by Identity and Access Tool for Visual Studio.-->
<serviceCertificate findValue="[Thumbprint]" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
<serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="false" />
</system.webServer>
<connectionStrings>
[Some connection strings]
</connectionStrings>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://myservice.cloudapp.net/MyService.svc" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://mysts.com">
<keys>
<add thumbprint="[Thumbprint]" />
</keys>
<validIssuers>
<add name="http://mysts.com" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="ChainTrust"/>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
<appSettings>
<add key="ida:FederationMetadataLocation" value="https://mysts.com/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
</configuration>

IIS Express 404 - The resource cannot be found in MVC4

I found a very useful article
to practice WCF.
Basically I create a library service.dll to do wcf stuff. Then add it to my asp.net mvc 4 project wsccc1.
To test the service: I typed in the url http://localhost:59899/wservice.svc or http://localhost:59899/wsccc1/wservice.svc in the browser.
Then I got the error:
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies)
could have been removed, had its name changed, or is temporarily unavailable.
Please review the following URL and make sure that it is spelled correctly.
Requested URL: /wservice.svc
The web.config of the web project is.
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<appSettings>
<add key="webpages:Version" value="2.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="PreserveLoginUrl" value="true" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true">
<serviceActivations>
<add factory="System.ServiceModel.Activation.ServiceHostFactory"
relativeAddress="~/wsccc1/wservice.svc"
service="service.wservice"/>
</serviceActivations>
</serviceHostingEnvironment>
<bindings />
<client />
</system.serviceModel>

This code in the webconfig: relativeAddress="~/wsccc1/wservice.svc" doesnt match the URL you are querying.
http://localhost:59899/wservice.svc

IIS dynamic compression for multipart/related

I'm using WCF and STS for security. I enabled IIS compression for the dynamic type thus
<dynamicTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
<add mimeType="application/xml" enabled="true" />
<add mimeType="application/soap+xml" enabled="true" />
<add mimeType="application/xop+xml" enabled="true" />
<add mimeType="application/soap+msbin1" enabled="true" />
<add mimeType="*/*" enabled="false" />
</dynamicTypes>
and it works fine for metadata and STS service calls.
However for all the "regular" calls to the service I get a reply of type multipart/related containing the response and the security token together.
I'd like to get that response compressed if possible and I don't know how to do it. Setting the compression for everything
<add mimeType="*/*" enabled="true" />
does compress the response but setting it to
<add mimeType="multipart/related" enabled="true" />
doesn't.
The Content-Type of the response is
Content-Type: multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:cb4a14b1-e162-41ee-80b8-752744d327eb+id=136";start-info="application/soap+xml"
Cheers.

IIS Express HTTP Error 401.2 - Unauthorized

I have tried the suggestions in this post but I can not get Windows Authentication working with IIS Express in Vision Studio 2010. Now I get following error:
Here are my applicationhost.config file entries:
...
<add name="WindowsAuthenticationModule" lockItem="false" />
...
<authentication>
<anonymousAuthentication enabled="true" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true" />
</authentication>
...
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="basicAuthentication" overrideModeDefault="Allow" />
<section name="clientCertificateMappingAuthentication" overrideModeDefault="Allow" />
<section name="digestAuthentication" overrideModeDefault="Allow" />
<section name="iisClientCertificateMappingAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
</sectionGroup>
My web.config:
<system.web>
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
This is .NET 4

Make sure you have something like below in your applicationhost.config file
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
This file is probably in %HOMEPATH%\Documents\IISExpress\config\

I've had such a problem in VS 2013 with IIS 8.0 Express when I wanted to update Service Reference. A dialog popped up asking for username/password. A strange substring was added to the service url:
_vti_bin/ListData.svc
I started configuring windows authentization as mentioned in some posts in this page in applicationhost.config. Finally, the working configuration can't have Negotiate provider:
<windowsAuthentication enabled="true">
<providers>
<!--<add value="Negotiate" />-->
<add value="NTLM" />
</providers>
</windowsAuthentication>
And the anonymous authentication must be disabled:
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />

Try adding the following to your web.config.
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>