Using Biztalk to access WCF service using claims-based authentication (aka federated security)

  • Article

When trying to connect to a claims-aware wcf service, two bindings are always required. The main binding that communicates with the WCF always references the second binding in its message security in order to authenticate the user against a Security Token Service.

There are cases where you would like to use Biztalk as a WCF client to authenticate the user against ADFS in order to be authorized by the WCF. In this case, the bindings can be slightly different than those described in this blog.

For instance, Biztalk will not allow the use of two identical Custom binding type to communicate with a claims-aware wcf service.

To make it work, we need to combine ws2007FederationHttpBinding and customBinding.

 

  1 <bindings>
 2  <customBinding>
 3  <binding name="https://nape-adfs/adfs/services/trust/2005/kerberosmixed">
 4  <security defaultAlgorithmSuite="Basic128" authenticationMode="KerberosOverTransport"
 5  requireDerivedKeys="false" includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
 6  <localClientSettings detectReplays="false" />
 7  <localServiceSettings detectReplays="false" />
 8  </security>
 9  <textMessageEncoding />
10  <httpsTransport />
11  </binding>
12  </customBinding>
13  
14  
15  <ws2007FederationHttpBinding>
16  <binding name="WS2007FederationHttpBinding_IService">
17  <security mode="TransportWithMessageCredential">
18  <message>
19  <issuer address="https://nape-adfs/adfs/services/trust/2005/kerberosmixed" 
20 bindingConfiguration="https://nape-adfs/adfs/services/trust/2005/kerberosmixed" binding="customBinding" />
21  <tokenRequestParameters>
22  <trust:SecondaryParameters xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">
23  <trust:KeyType xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
24  <trust:KeySize xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
25  <trust:KeyWrapAlgorithm xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
26  <trust:EncryptWith xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
27  <trust:SignWith xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
28  <trust:CanonicalizationAlgorithm xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
29  <trust:EncryptionAlgorithm xmlns:trust="https://docs.oasis-open.org/ws-sx/ws-trust/200512">https://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
30  </trust:SecondaryParameters>
31  </tokenRequestParameters>
32  </message>
33  </security>
34  </binding>
35  </ws2007FederationHttpBinding>
36  </bindings>
37 
38