GD Bloggers

This is the blog site for Microsoft Global Delivery Communities focused in sharing the technical knowledge about devices, apps and cloud.
Follow Us On Twitter! Subscribe To Our Blog! Contact Us

Securing WCF Services with Custom WIF STS: A Step-By-Step guide

Securing WCF Services with Custom WIF STS: A Step-By-Step guide

  • Comments 7
  • Likes

In real SOA implementation, you will be probably exposing many WCF Services that you need to secure. Many blogs are there around STS and WCF, but non of them which guide you through a basic implementation of a custom STS using Windows Identity Foundation (WIF) to secure your WCF services. If you are just starting with STS/WIF or you have spent sometime trying to implement a basic STS with no luck, this blog is just for you. I assume you are already familiar with what's STS as an authentication mechanism, WCF in general and Visual Studio. When you finish all the steps, you should have an STS, console client and a WCF service that uses STS for authentication.

I've added the images to allow you to follow easily with the steps. 

Pre-requisites:

Environment Description and preparing certificates

This demonstration assumes that you will code only on 1 machine which will contain the console client, the service and the custom STS. I use a machine named VS2010 on domain contoso.com

You will need to prepare a single certificate that will be used in signing and encryption of the STS tokens. to do so, create a self-signed certificate from the IIS, then use this certificate to encrypt traffic of the default website of IIS (SSL).

Steps to create your custom STS:

  • Create Custom STS with Visual Studio
  • Creating claims aware WCF Service
  • Secure WCF Service with STS
  • Update the STS to use specific certificates for encryption and signing
  • Create and run console application

Create Custom STS with Visual Studio

    • Create an empty VS2010 solution. Name it “STSDemoSolution”
    • Right-click solution node in the solution explorer and choose “Add-->New Web Site”.
 
  • In the “Add New Web Site” dialog window – select “WCF Security Token Service” as a project type, then in “Web location” drop down select “http” and in text box enter an address on the development IIS, where You want to put Your service. In the given example the address of the server “http://vs2010.contoso.com/STSDemo” is an FQDN of the local development machine. Finally press “OK”.

  • Compile the solution and make sure that it runs successfully.
  • Open the “web.config” of the “DemoSTS” project and modify the “ws2007HttpBiding” to make the message security use “Windows” Authentication. It should look like the following…

This step is critical. If you pass it, your STS will probably consider anonymous users only for authentication. 

  • To Ensure that your STS is working, browse to the folder “2007-06”, click on the “FederationMetaData.xml” XML file and click “View in Browser”.
     

You should be able to view the content of that XML file in your browser. This ensures that your STS is created successfully.

 

Creating Claims Aware WCF Service

  • Right-click solution node in the solution explorer and choose “Add”  “New Web Site”.

  •  In the “Add New Web Site” dialog window – select “Claims-aware WCF Service” as a project type, then in “Web location” drop down select “http” and in text box enter an address on the development IIS, where You want to put Your service. In the given example the address of the server “vs2010.contoso.com” is an FQDN of the local development machine. Finally press “OK”.

  • Your project should look like this

 

 

 

Secure WCF Service using STS

Now we will configure the WCF service to use the STS for security.
1. Right click on the project “Secure WCF Service” and click “Add STS Reference”
 

2. In the first screen, leave all defaults and click “Next”.

 

 


 
3. In the second screen, leave all defaults as well and click “Next”.

 


4. In the next screen, select “Use an Existing STS”.
5. In the “STS WS-Federation Metadata document location” box, type the address of the STS Federation metadata file. It should be something like “http://vs2010.contoso.com/DemoSTS/FederationMetaData/2007-06/FederationMetaData.xml”. Then click Next.

 


6. Click “Enable Encryption”, the click “Select an Existing Certificate from Store”


 
7. Click “OK” when the certificate is selected then click “Next”
8. In the next Screen click “Next”
9. In the final screen click “Finish”. Make sure that the checkbox “Schedule task to perform…” is unchecked.


 

 

Update STS to use specific certificates for signing and encryption

1. Open the “web.config” file of the “DemoSTS” project
2. Modify the “appSettings” section to specify the certificates that you want to use for the encryption and signing. After you modify it, it should look something like this…


Note: In the above example, I use the same certificate for both signing and encryption. IN real life scenarios, those certificates should be different.

3. Save the “web.config” file and close it.
4. Right click on the project “SecureWCFService” and click “Update Federation Meta Data”

Create console application and modify the WCF Service to list all claims in the token of STS

Now, we will create a console application and modify the service code to read the claims in the STS token
1. Now add a simple console application to the same solution to make its structure to look like this:

 

 
2. Right-click “DemoConsole”, the console application project You’ve just added and select “Add Service Reference”:

 



3. In the “Add Service Reference” dialog window click “Discover” and when “Address” text box is populated with the WCF service address you have created. Double click service name in the “Services” list box, on the picture bellow it is “SecureWCFService/Service.svc”. Then click “OK”:

 

 

4. Now test that client and service actually work by populating “Main” method of console application “Program” class with following code:


 
5. Modify the “GetData” function in the  service code also to list all claims. The code should look like the following…


 
6. Now, compile everything and run the console application.
7. Set console application as start-up project and press F5.  You should receive the following console prompt after a while:

 

 

 Happy Coding:)

 

Comments
  • Thank you, thank you, THANK YOU! I have been reading and reading all kinds of material, scouring different sites, trying out tutorial after tutorial and come away with nothing but confusion. That is, until I came across this posting. Following your guidance, I was actually able to get an STS up an running! Bless you!

  • Hi..i want to implement it with sharepoint site....can you help me ?

    I am getting one window its asking for windows card space.

    Thanks

    Krunal Jani

  • Hello...

            this is my issue.

    Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel.

    Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint

    Thanks

    Krunal Jani

  • Hi.. really nice post.

    i have one doubt over here, From the Demo console we pass the username and password.

    How do i authenticate the username and password. i mean where shall i have my authentication logic?.

    Thanks

    Vijeth

  • Nice Article, I am wondering whether it would be possible to include the source code sample, I followed the example and I am getting symmetric encryption key exception. If I get chance to compare the code, it will be very helpful to fix the issue

    Thanks,

    Rajesh

  • Hi

    Same problem here just like Krunal Jani

    "I am getting one window its asking for windows card space."

    Any solutions ?

    Thanks

  • I too getting error regarding "Windows Card Space", is there any one to help ? Thank you, Sandesh Daddi

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment