In real SOA implementation, you will be probably exposing many WCF Services that you need to secure. Many blogs are there around STS and WCF, but non of them which guide you through a basic implementation of a custom STS using Windows Identity Foundation (WIF) to secure your WCF services. If you are just starting with STS/WIF or you have spent sometime trying to implement a basic STS with no luck, this blog is just for you. I assume you are already familiar with what's STS as an authentication mechanism, WCF in general and Visual Studio. When you finish all the steps, you should have an STS, console client and a WCF service that uses STS for authentication.
I've added the images to allow you to follow easily with the steps.
- Visual studio 2010
- The development machine has IIS installed (I use Windows 2008 R2)
- Windows Identity Foundation (WIF): download it from http://www.microsoft.com/download/en/details.aspx?id=17331
- Windows Identity Foundation SDK: download it from : http://www.microsoft.com/download/en/details.aspx?id=4451
Environment Description and preparing certificates
This demonstration assumes that you will code only on 1 machine which will contain the console client, the service and the custom STS. I use a machine named VS2010 on domain contoso.com
You will need to prepare a single certificate that will be used in signing and encryption of the STS tokens. to do so, create a self-signed certificate from the IIS, then use this certificate to encrypt traffic of the default website of IIS (SSL).
Steps to create your custom STS:
- Create Custom STS with Visual Studio
- Creating claims aware WCF Service
- Secure WCF Service with STS
- Update the STS to use specific certificates for encryption and signing
- Create and run console application
Create Custom STS with Visual Studio
- Create an empty VS2010 solution. Name it “STSDemoSolution”
- Right-click solution node in the solution explorer and choose “Add-->New Web Site”.
- In the “Add New Web Site” dialog window – select “WCF Security Token Service” as a project type, then in “Web location” drop down select “http” and in text box enter an address on the development IIS, where You want to put Your service. In the given example the address of the server “http://vs2010.contoso.com/STSDemo” is an FQDN of the local development machine. Finally press “OK”.
- Compile the solution and make sure that it runs successfully.
- Open the “web.config” of the “DemoSTS” project and modify the “ws2007HttpBiding” to make the message security use “Windows” Authentication. It should look like the following…
This step is critical. If you pass it, your STS will probably consider anonymous users only for authentication.
- To Ensure that your STS is working, browse to the folder “2007-06”, click on the “FederationMetaData.xml” XML file and click “View in Browser”.
You should be able to view the content of that XML file in your browser. This ensures that your STS is created successfully.
Creating Claims Aware WCF Service
- Right-click solution node in the solution explorer and choose “Add” “New Web Site”.
- In the “Add New Web Site” dialog window – select “Claims-aware WCF Service” as a project type, then in “Web location” drop down select “http” and in text box enter an address on the development IIS, where You want to put Your service. In the given example the address of the server “vs2010.contoso.com” is an FQDN of the local development machine. Finally press “OK”.
- Your project should look like this
Secure WCF Service using STS
Now we will configure the WCF service to use the STS for security.
1. Right click on the project “Secure WCF Service” and click “Add STS Reference”
2. In the first screen, leave all defaults and click “Next”.
3. In the second screen, leave all defaults as well and click “Next”.
4. In the next screen, select “Use an Existing STS”.
5. In the “STS WS-Federation Metadata document location” box, type the address of the STS Federation metadata file. It should be something like “http://vs2010.contoso.com/DemoSTS/FederationMetaData/2007-06/FederationMetaData.xml”. Then click Next.
6. Click “Enable Encryption”, the click “Select an Existing Certificate from Store”
7. Click “OK” when the certificate is selected then click “Next”
8. In the next Screen click “Next”
9. In the final screen click “Finish”. Make sure that the checkbox “Schedule task to perform…” is unchecked.
Update STS to use specific certificates for signing and encryption
1. Open the “web.config” file of the “DemoSTS” project
2. Modify the “appSettings” section to specify the certificates that you want to use for the encryption and signing. After you modify it, it should look something like this…
Note: In the above example, I use the same certificate for both signing and encryption. IN real life scenarios, those certificates should be different.
3. Save the “web.config” file and close it.
4. Right click on the project “SecureWCFService” and click “Update Federation Meta Data”
Create console application and modify the WCF Service to list all claims in the token of STS
Now, we will create a console application and modify the service code to read the claims in the STS token
1. Now add a simple console application to the same solution to make its structure to look like this:
2. Right-click “DemoConsole”, the console application project You’ve just added and select “Add Service Reference”:
3. In the “Add Service Reference” dialog window click “Discover” and when “Address” text box is populated with the WCF service address you have created. Double click service name in the “Services” list box, on the picture bellow it is “SecureWCFService/Service.svc”. Then click “OK”:
4. Now test that client and service actually work by populating “Main” method of console application “Program” class with following code:
5. Modify the “GetData” function in the service code also to list all claims. The code should look like the following…
6. Now, compile everything and run the console application.
7. Set console application as start-up project and press F5. You should receive the following console prompt after a while: