WCF Authentication & Authorization using Windows Identity Foundation - wcf

I am working on a asp.net mvc application and a WCF service which will be accessed by the mvc app. I am using WIF based STS website to do authentication and authorization on mvc app. Now I want to achieve the same thing on each method of web service.
I am thinking whether I can pass the claims info I have in MVC App to the WCF to do authentication and authorization. I dont want WCF to contact STS again for authentication. I cannot use windows authentication. I also want to make use of ClaimsAuthorizationManager to achieve this.
If anybody has some about it please share. It will be a big help for me.
Joe

If your WCF Service is not REST, then maybe you can find the answer here Identity Delegation with AD FS 2.0 Step-by-Step Guide
If your WCF Service is RESTful, check-out the example 8-ActiveRestClientFederation (download from Identity Guidance); Dominick Baier's guide Token-based Authentication for WCF REST Service and from Stefan's blog Secure your REST-based WCF service with WIF.
Hope this helps.

Related

securing WCF service with OAuth 2.0

I followed the example in the article http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
this works great for WEB API, how would I secure a WCF service the same way? I would like to have it communicate to the authorization server coded with OWIN and WEB API, is there a WCF binding that will communicate with it? or any other way to do this?

Difference between ASP.NET Web API and WCF regarding the Authentication mechanisms

I am making a choice between ASP.NET Web API and WCF.
I am not quite sure about the authentication part. Could some one shed some light on the differences?
I suppose there would be no actual difference under the hood. After all, the authenticaton mechanism refers to the HTTP request level on the ASP.NET engine integrated in IIS. It should have nothing to do with whether the module responding the specific HTTP request is implemented as an ASP.NET web page, WCF or Web API endpoint.
Nevertheless, there would be some differences in modelling and perhaps in configuration. WCF models the authentication mechanism as a "WCF authentication service" while Web API uses the normal security model of ASP.NET.
Use this WCF and ASP.NET security guide and this Web API security guides as a reference.
Hope I helped!

ASP.NET Client Application Services Authentication and WCF

I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.

WCF service with WIF AD Single sign on

I have an Excel add-on which connects to a WCF endpoint located in our network to collect data. We're considering moving the application out to Windows Azure.
Currently the users are authenticated using their windows log on. I know that WIF, ACS and ADFS can allow us to authenticate on a web app but wondered if this would be possible with the WCF client.
Thanks
See here: Securing WCF Services with ACS
Also ACS and the code samples within.
If you are looking for delegation i.e. sign on using WIF and use that token for WCF, there's a delegation scenario and sample in the WIF SDK.

How to integrate SAML authentication into WCF web service application

I have a WCF web service application built and tested on IIS7. Regarding authentication I wanted to implement a sql server hosted userd id and password authentication for consumers accessing the operations in the web service. However I was told that my company policy dictates that I implement SAML into my web service. That means any client that is accessing my web service operations need to be authenticated using SAML 2.0. I am not familiar with SAML but like to know and get started on how to implement it within my web serivice. I keep hearing two terms - Service Provider and Identity Provider, based on definitions on the web, I am assuming the service provider is my web service. identity provider is where the user authenticates to and the identity provider provides a assertion to my web service and then I let the client access the operations. I understand the theory but not sure how to put into practical implementation. Clients accessing my web service are not internal , i.e. they are external (extranet clients), so in this case what will be the identity provider and how do I add code to my web serice to make it a service provider?
I hope you understand my dilemma, can anyone explain the approach I need to take and any samples or tutorials that help me complete the web service is greatly appreciated.
I think SAML 2.0 is not provided by standard WCF. To make it work you must combine WCF with WIF (Windows identity foundation). Here you have very complex example of usage WCF with WIF and claim based authorization. The example uses SAML 1.1 but it is only configuration change to make it work with SAML 2.0.
Your problem is generally called Federated authentication or Federated identity where user authenticates against STS (service token service) and it receives security token (it can be for example SAML token). Than the client calls real service (RP - relaying party) where it passes its security token. So what are you going to build? If your company policy demands SAML usage they most probably already have STS and you just need to authenticate clients by SAML tokens as mentioned in the article.
Since 2011, support for Claims-Aware WCF Services has apparently improved with the release of .NET 4.5. I'll copy info from that article in case it ever changes, but as of the time of this answer, the process appeared to be as simple as:
Adding a reference to WIF (Microsoft.IdentityModel.dll) in your WCF Service project. Since this is delivered with .NET 4.5, I do not believe a NuGet package is necessary.
Use the following code sample to create a self-hosted Claims-Aware service:
var host = new ServiceHost(typeof(ClaimsAwareWebService), new Uri("myUri"));
FederatedServiceCredentials.ConfigureServiceHost(host);
host.Open();
Set your WCF service to use the federatedServiceHostConfiguration Behavior Extension.