Inside the Standard Bindings: WSFederationHttp
Index for bindings in this series:
The final HTTP binding that I'm covering in this series is WSFederationHttp. Federation is the ability to share identities across multiple systems for authentication and authorization. These identities could either be for users or machines. This binding is intended for the very specific scenario of federated security.
Standard disclaimer:
I've cut down on the number of properties presented by eliminating duplicates between the binding settings and binding element settings. For instance, the XML reader quotas can be set on either the binding or the message encoder binding element, but I'm only going to show them on the message encoder. I've also omitted most of the security credential settings because they're very messy and you hopefully won't need to change them much.
Federated HTTP supports SOAP security as well as mixed-mode security, but it doesn't support exclusively using transport security. I'll begin with the usual pattern of first presenting the binding with security disabled.
System.ServiceModel.Channels.TransactionFlowBindingElement
TransactionProtocol: WSAtomicTransactionsSystem.ServiceModel.Channels.TextMessageEncodingBindingElement
AddressingVersion: Addressing10 (https://www.w3.org/2005/08/addressing) MaxReadPoolSize: 64 MaxWritePoolSize: 16 ReaderQuotas: MaxArrayLength: 16384 MaxBytesPerRead: 4096 MaxDepth: 32 MaxNameTableCharCount: 16384 MaxStringContentLength: 8192System.ServiceModel.Channels.HttpTransportBindingElement
AllowCookies: False AuthenticationScheme: Anonymous BypassProxyOnLocal: False HostNameComparisonMode: StrongWildcard ManualAddressing: False MappingMode: SoapWithWSAddressing MaxBufferPoolSize: 524288 MaxBufferSize: 65536 MaxReceivedMessageSize: 65536 ProxyAddress: ProxyAuthenticationScheme: Anonymous Realm: Scheme: http TransferMode: Buffered UnsafeConnectionNtlmAuthentication: False UseDefaultWebProxy: True
There's nothing unusual about these settings compared to any of the other HTTP bindings. However, if you look at the top-level settings on the binding, there are two new components. The first is an address for a privacy notice. The second is buried inside the security settings. If you drill down to the settings for message security (not pictured here) there's now more than a dozen settings instead of the normal two or three.
CloseTimeout: 00:01:00
EnvelopeVersion: Soap12 (https://www.w3.org/2003/05/soap-envelope)
Namespace: https://tempuri.org/
OpenTimeout: 00:01:00
PrivacyNoticeAt:
ReceiveTimeout: 00:01:00
ReliableSession:
Enabled: False
InactivityTimeout: 00:10:00
Ordered: True
SendTimeout: 00:01:00
TextEncoding: System.Text.UTF8Encoding
TransactionFlow: False
The channel stack is identical to the WSHttp binding when Security.Mode is set to Message.
- System.ServiceModel.Channels.TransactionFlowBindingElement
- System.ServiceModel.Channels.SymmetricSecurityBindingElement
- System.ServiceModel.Channels.TextMessageEncodingBindingElement
- System.ServiceModel.Channels.HttpTransportBindingElement
However, setting Security.Mode to TransportWithMessageCredential results in something of a hybrid between the WSHttp and BasicHttp bindings.
System.ServiceModel.Channels.TransactionFlowBindingElement
System.ServiceModel.Channels.TransportSecurityBindingElement
System.ServiceModel.Channels.TextMessageEncodingBindingElement
System.ServiceModel.Channels.HttpsTransportBindingElement
RequireClientCertificate: False Scheme: https
Finally, using the MTOM encoder looks exactly the same as for WSHttp.
- System.ServiceModel.Channels.TransactionFlowBindingElement
- System.ServiceModel.Channels.MtomMessageEncodingBindingElement
- System.ServiceModel.Channels.HttpTransportBindingElement
Next time: It's All in the BindingContext