WCF: WS-* Federation HTTP Binding (WSFederationHttpBinding), Part 1

Federated security is interesting because it presents such a clear break between a service and the security (authentication and authorization) that protects it. Plus -- and this is the part I find even more intriguing -- federated security allows for trust. We'll look trust a little more in a moment but let's first consider that first point, the clear line between the service and its security.

With federated security, a service requires clients to authenticate using a security token issued by a security token service. It's the security token service that is responsible for authentication and access decisions. Typically, a security token service is within a specific domain, such as an organization, and refers to policies set for that domain.

Where federated security becomes really interesting is when a client in one organization accesses a service in another organization.


In the example above, we have two organizations, Organization A and Organization B. Both organizations have their own security token service (STS). Organization A has a client that wants to access a service in Organization B.

With federated security, there's a level of trust between the STS at Organization A and the STS at Organization B. The STS at Organization A doesn't have to know about the services at Organization B and the STS at Organization B doesn't have to know about the clients at Organization A. The STSes only have to know about each other. Plus, they have to have a level of trust in each other. This trust amounts to something like: When someone presents to me a security token issued by you (another security token service), I trust that you've done the legwork to authenticate the bearer of the token.

With the issue of authentication out of the way, the security token service for the domain in which a service resides need only address the question of access. That security token service will then consult its policies and, if the policies say it's okay, issue its own security token which can then be used to access the service.

Going back to our example, the Client within Organization A wants to access the Service within Organization B. Here's the process, broken into discrete steps.

Step 1: The Client presents its credentials (say, a username and password) to the Security Token Service (STS) within its domain.


Step 2: The STS in Organization A looks at the credentials and determines if they're valid or not. If they are, it then gives a security token to the Client.


Step 3: The Client then takes that security token (which proves the Client has been authenticated) and presents the token to the Security Token Service at Organization B.


Step 4: The Security Token Service at Organization B checks its policies and determines if the client should have access to the Service. If it decides yes, then it issues one of its own security tokens to the client. That security token is good for access to the Service.


Step 5: The Client then presents to the Service the security token it received from the STS at Organization B.


The Service accepts the security token and thus the Client is allowed to interact with the Service.

As you can probably guess, setting all this up is a little more involved than what we've done to date with the other bindings we've looked at (Basic HTTP Binding, WS-* HTTP Binding, and WS-* Dual HTTP Binding). There's where Part 2 of our WS Federation HTTP Binding comes in.

Comments

  1. MMNovember 16, 2017 at 9:07 AM

    Thanks. I see you never completed part 2 (you followed up and said there will be total 4 parts). Are you planning to complete the guide?

    ReplyDelete
    Replies
    1. Bill GoodNovember 16, 2017 at 11:47 AM

      It seemed the world moved on from WCF but it's always bugged me I never finished this series. I think WCF still has its place -- not everyone wants to or can run web services.

      So, I will wrap it up over the next 2 weeks. How does that work for you?

      Delete

Post a Comment

Popular posts from this blog

Using Reference Aliases

Image
I recently ran across a situation where two different libraries shared identical namespaces and class names. Visual Studio complained anytime I used one of these classes that it was an ambiguous reference. I needed both libraries -- each contained some unique elements -- so I couldn't ditch one or the other. But, as I said, anytime I tried to use a class that was common (again, via the class name and namespace), I received the ambiguous reference error. This was a real problem, so say the least. However, C# provides a way to specify exactly which library (reference) you mean when you use an object that's common to two or more libraries. Simply put, you use an extern alias  statement. The concept is fairly simple: Give the reference an alias (I used the Properties windows for the reference). Add an extern alias statement, putting it before your using statements. Add a using statement, which effectively links a specific object through the extern alias statement to th...
Read more

List of Visual Studio Keyboard Shortcuts

Here's a link to a great list of keyboard shortcuts for Visual Studio: 149 Shortcuts for Visual Studio 2015 (Windows) While there's no need to memorize the list (that's why someone has created a cheat sheet, after all), it certainly doesn't hurt to look over the list from time to time and try to add one more command to your repertoire.
Read more

Quick Example of System.IO.Abstractions Use

I just got on a new project and am trying from the get-go to structure all my code so that it's easily testable. Academically, that is a no-brainer. In practice, though, some chunks of code are more difficult to structure so that they're easily testable. Towards that end, I've been pushing System.IO.Abstractions again. And, to get that going I decided it was time to refresh my examples. In the code below, we see how injecting the file system into the repository ultimately allows us to write testable code. If structured correctly, then our repository requires no subsequent refactoring to run in a unit test environment versus a "real" environment even when dealing with something like the file system. Let's take a look at our code. The Console Application The console application is straightforward. We have a private method (at the bottom) that assembles and returns a mock file system. Next, we perform the following steps: We feed that mock file system...
Read more