How to secure WCF web service using ADFS in .NET 4.5?

Question

Using the Identity And Access tool ( part of VS 2012 ) i am able to configure a WCF to use our corporate ADFS server.

Relevant web.config

 <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials useIdentityConfiguration="true">
            <!--Certificate added by Identity and Access Tool for Visual Studio.-->
            <!-- <serviceCertificate findValue="CN=localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />-->
            <serviceCertificate findValue="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
          </serviceCredentials>
          <serviceAuthorization principalPermissionMode="Always"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />
      <add binding="basicHttpsBinding" scheme="https" />
    </protocolMapping>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="">
          <security mode="TransportWithMessageCredential">
            <message establishSecurityContext="false">
              <issuerMetadata address="https://auth1.domain.com/adfs/services/trust/mex" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <!--
        To browse web app root directory during debugging, set the value below to true.
        Set to false before deployment to avoid disclosing web app folder information.
      -->
    <directoryBrowse enabled="true" />
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://wcfurl.domain.com/" />
      </audienceUris>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="http://auth1.domain.com/adfs/services/trust">
          <keys>
            <add thumbprint="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
          </keys>
          <validIssuers>
            <add name="http://auth1.domain.com/adfs/services/trust" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
      <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
      <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
  </system.identityModel>

However when i reference this WCF service from a console application ( Add Service Reference ) the call is made directly to the WCF service, it is not redirected to ADFS to be authenticated as it would be with a standard ASP.NET application.

Do i really have to implement the call to adfs by code ? If so any clue on how to do it ?

Answer 1

Eric, in SAML based authentication web services and browser based application (i.e web application) uses different authentication mechanism. Try to see passive vs active authentication, in your case the client should drive the authentication (active client) using WS-Trust, since there is no redirect in web service call.Check out this http://msdn.microsoft.com/en-us/magazine/ee335705.aspx

-Peace