In real SOA implementation, you will be probably exposing many WCF Services that you need to secure. Many blogs are there around STS and WCF, but non of them which guide you through a basic implementation of a custom STS using Windows Identity Foundation (WIF) to secure your WCF services. If you are just starting with STS/WIF or you have spent sometime trying to implement a basic STS with no luck, this blog is just for you. I assume you are already familiar with what's STS as an authentication mechanism, WCF in general and Visual Studio. When you finish all the steps, you should have an STS, console client and a WCF service that uses STS for authentication.
I've added the images to allow you to follow easily with the steps.
This demonstration assumes that you will code only on 1 machine which will contain the console client, the service and the custom STS. I use a machine named VS2010 on domain contoso.com
You will need to prepare a single certificate that will be used in signing and encryption of the STS tokens. to do so, create a self-signed certificate from the IIS, then use this certificate to encrypt traffic of the default website of IIS (SSL).
This step is critical. If you pass it, your STS will probably consider anonymous users only for authentication.
You should be able to view the content of that XML file in your browser. This ensures that your STS is created successfully.
Now we will configure the WCF service to use the STS for security.1. Right click on the project “Secure WCF Service” and click “Add STS Reference”
2. In the first screen, leave all defaults and click “Next”.
3. In the second screen, leave all defaults as well and click “Next”.
4. In the next screen, select “Use an Existing STS”.5. In the “STS WS-Federation Metadata document location” box, type the address of the STS Federation metadata file. It should be something like “http://vs2010.contoso.com/DemoSTS/FederationMetaData/2007-06/FederationMetaData.xml”. Then click Next.
6. Click “Enable Encryption”, the click “Select an Existing Certificate from Store”
7. Click “OK” when the certificate is selected then click “Next”8. In the next Screen click “Next”9. In the final screen click “Finish”. Make sure that the checkbox “Schedule task to perform…” is unchecked.
1. Open the “web.config” file of the “DemoSTS” project2. Modify the “appSettings” section to specify the certificates that you want to use for the encryption and signing. After you modify it, it should look something like this…
Note: In the above example, I use the same certificate for both signing and encryption. IN real life scenarios, those certificates should be different.
3. Save the “web.config” file and close it.4. Right click on the project “SecureWCFService” and click “Update Federation Meta Data”
Now, we will create a console application and modify the service code to read the claims in the STS token1. Now add a simple console application to the same solution to make its structure to look like this:
2. Right-click “DemoConsole”, the console application project You’ve just added and select “Add Service Reference”:
3. In the “Add Service Reference” dialog window click “Discover” and when “Address” text box is populated with the WCF service address you have created. Double click service name in the “Services” list box, on the picture bellow it is “SecureWCFService/Service.svc”. Then click “OK”:
4. Now test that client and service actually work by populating “Main” method of console application “Program” class with following code:
5. Modify the “GetData” function in the service code also to list all claims. The code should look like the following…
6. Now, compile everything and run the console application.7. Set console application as start-up project and press F5. You should receive the following console prompt after a while:
<p>Thank you, thank you, THANK YOU! I have been reading and reading all kinds of material, scouring different sites, trying out tutorial after tutorial and come away with nothing but confusion. That is, until I came across this posting. Following your guidance, I was actually able to get an STS up an running! Bless you!</p>
<p>Hi..i want to implement it with sharepoint site....can you help me ?</p>
<p>I am getting one window its asking for windows card space.</p>
<p> this is my issue.</p>
<p>Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. </p>
<p>Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint</p>
<p>Hi.. really nice post.</p>
<p> i have one doubt over here, From the Demo console we pass the username and password.</p>
<p> How do i authenticate the username and password. i mean where shall i have my authentication logic?.</p>
<p>Nice Article, I am wondering whether it would be possible to include the source code sample, I followed the example and I am getting symmetric encryption key exception. If I get chance to compare the code, it will be very helpful to fix the issue</p>
<p>Same problem here just like Krunal Jani</p>
<p>"I am getting one window its asking for windows card space."</p>
<p>Any solutions ?</p>
I too getting error regarding "Windows Card Space", is there any one to help ?