WIF 4.5 Active/Passive/Delegation examples
Lately more and more customers are asking me help and examples on how to use WIF 4.5+WCF in their projects, just a quick jump-start or how to "migrate" from the previous version (WIF on .NET 3.5).
As you may know WIF is now part of the framework so the first thing to note is the change of namespace: from Microsoft.IdentityModel to System.IdentityModel. Second some classes are gone and some has been renamed.
I created two working examples on how to use WIF 4.5 to secure a WCF web service. I tried to mock up the two most common scenarios:
- #1 standard active scenario (1 hop / Client -> WCF) https://github.com/gianlucb/WIF-ActiveScenarioWCF
- #2 delegation scenario (2 hops / Browser -> WEB -> WCF ) https://github.com/gianlucb/WIF-DelegationScenarioWCF
Basically WIF is used to secure a target WCF resource (Relying party) and also to retrieve the access token from the STS. I used an ADFS server but you can use any custom STS implementation.
I put many comments in the source code and tried to be verbose as much as possible in order to help you to understand how WIF works and how must be configured.
In these examples you can find also how to configure WIF programmatically, without using any configuration file!
The example #1 is really simple, just a WCF service that must be consumed using a SAML Token as authentication method.
Active scenario simply means the caller must go to STS to retrieve the token before to call the service, is not redirected automatically as happens with a browser for example.
The example #2 is the implementation of this "old" guide: Identity Delegation with AD FS 2.0 Step-by-Step Guide. The guide was about .NET 3.5, the old VS version and ADFS 2.0, so it not updated anymore.
Nowadays to setup a working delegation scenario there are some additional steps and some that are not necessary anymore, see the readme document for a detailed list of required steps for a delegation.
Note that for a delegation scenario the service's caller must get a second token of type OnBehalfOf or ActAs, it cannot use the user's original token.
In this example you can find two methods for this task:
- Automatic: using CreateChannelWithOnBehalfOfToken (WCF get the token for us transparently)
- Manual: call STS with WSTrustChannelFactory and forward the token with CreateChannelWithIssuedToken