I have a wcf service which is connected to an adfs as a relaying party. This adfs is acting as a identity provider. now in client side there is a Java client which want to call the wcf service but before that it have to authenticated in adfs with username and pass for token. I have successfully done it for .Net client but do not have any idea for java client..Can anyone help?
For web services, ADFS uses WS-Trust.
The Metro stack e.g. implements this but for a standalone client you probably need something like axis2 which implements this via Apache Rampart.
Related
I did a Silverlight RIA Bussiness application. The server side requieres authentication and is going over https.
From the server side, I want to acces to an external web service which also needs credentials and also goes over https. The point is that the required credentials for the web service are the same the credentials required for the RIA business service.
I would like to:
1.-To create an intance of the web service in the RIA service business application service side
2.- Set the web service credentials = RIA service business application credentials (which are, obvisuly, already authenticated)
My untuiton says that there must be a way to do this but I have no idea how. Anyway, my untuition has been wrong so many times...
I need to host a WCF service that will give its clients access to internal business systems on a public facing web server. Obviously I must secure this so that no one from the outside world even knows the service exists, let alone be able to call methods and access the data it exposes.
The overall idea is that the public facing website hosted on the same machine will call the WCF service and then the WCF service will provide it with the required data...
Public Facing Web Site <-> WCF Service <-> Business Systems / Databases
So I need to understand how to secure the service so it can only be accessed via the public facing website.
Ideas I had..
IIS filtering so that the IIS Site hosting the WCF service will only accept requests from a certain IP address.
Obscure port that will not be allowed through the public facing firewall.
Protocol such as NetTCP or NamedPipes
But what about the actual WCF security set up? As both the Public Facing Site and the service are on the same machine is Windows Authentication as option? Questions I have regarding this are...
Should the service client and the service simply use Windows Authentication?
Do I need specific user accounts as opposed to Network Service? If the website runs under network service would this then automatically authenticate to the service?
My objective is that someone in the outside world should not know of the services existance or be able to make access to it.
Thanks in advance.
Technical environment is: IIS7, .Net 4 and WCF 4.
I would suggest you create a http handler '.ashx' and use that as the endpoint for client requests.
If your using asp.net you can secure it by using simple forms authentication and retrieving username and password from the request headers to authenticate the request.
Then execute any requests to your business webservices which is also secured by your forms authentication.
Cheers
I have a silverlight 4 application which needs to consumes some services hosted on a Java (I think CXF) Web Service.
For some reasons, I can't access directly the service so I have to go through a relay service.
I created a WCF relay service.
The service uses SOAP 1.2 and WS addressing 1.0
What I ask is.. what level of security can I reach?
The ideal situation is to use a mutual authentication of the server (CXF) and my client.
If Silverlight does not support this, the second possibility is to have a "simple" https connection between my silverlight client and my relay server, but then, is it possible to "add" a mutual authentication between the relay and CXF? Or the only possible solution is to have a simple SSL connection with only the server authentication?
I have a WCF web service application built and tested on IIS7. Regarding authentication I wanted to implement a sql server hosted userd id and password authentication for consumers accessing the operations in the web service. However I was told that my company policy dictates that I implement SAML into my web service. That means any client that is accessing my web service operations need to be authenticated using SAML 2.0. I am not familiar with SAML but like to know and get started on how to implement it within my web serivice. I keep hearing two terms - Service Provider and Identity Provider, based on definitions on the web, I am assuming the service provider is my web service. identity provider is where the user authenticates to and the identity provider provides a assertion to my web service and then I let the client access the operations. I understand the theory but not sure how to put into practical implementation. Clients accessing my web service are not internal , i.e. they are external (extranet clients), so in this case what will be the identity provider and how do I add code to my web serice to make it a service provider?
I hope you understand my dilemma, can anyone explain the approach I need to take and any samples or tutorials that help me complete the web service is greatly appreciated.
I think SAML 2.0 is not provided by standard WCF. To make it work you must combine WCF with WIF (Windows identity foundation). Here you have very complex example of usage WCF with WIF and claim based authorization. The example uses SAML 1.1 but it is only configuration change to make it work with SAML 2.0.
Your problem is generally called Federated authentication or Federated identity where user authenticates against STS (service token service) and it receives security token (it can be for example SAML token). Than the client calls real service (RP - relaying party) where it passes its security token. So what are you going to build? If your company policy demands SAML usage they most probably already have STS and you just need to authenticate clients by SAML tokens as mentioned in the article.
Since 2011, support for Claims-Aware WCF Services has apparently improved with the release of .NET 4.5. I'll copy info from that article in case it ever changes, but as of the time of this answer, the process appeared to be as simple as:
Adding a reference to WIF (Microsoft.IdentityModel.dll) in your WCF Service project. Since this is delivered with .NET 4.5, I do not believe a NuGet package is necessary.
Use the following code sample to create a self-hosted Claims-Aware service:
var host = new ServiceHost(typeof(ClaimsAwareWebService), new Uri("myUri"));
FederatedServiceCredentials.ConfigureServiceHost(host);
host.Open();
Set your WCF service to use the federatedServiceHostConfiguration Behavior Extension.
I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security