Defines a binding that supports WS-Federation.
<wsFederationHttpBinding> <binding bypassProxyOnLocal="Boolean" closeTimeout="TimeSpan" hostNameComparisonMode="StrongWildcard/Exact/WeakWildcard" maxBufferPoolSize="integer" maxReceivedMessageSize="integer" messageEncoding="Text/Mtom" name="string" openTimeout="TimeSpan" privacyNoticeAt="Uri" privacyNoticeVersion="Integer" proxyAddress="Uri" receiveTimeout="TimeSpan" sendTimeout="TimeSpan" textEncoding="UnicodeFffeTextEncoding/Utf16TextEncoding/ Utf8TextEncoding" transactionFlow="Boolean" useDefaultWebProxy="Boolean"> <security mode="None/Message/TransportWithMessageCredential"> <message algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15" issuedTokenType="string" issuedKeyType="SymmetricKey/PublicKey" negotiateServiceCredential="Boolean"> <claimTypeRequirements> <add claimType="URI" isOptional="Boolean" /> </claimTypeRequirements> <issuer address="Uri" > <headers> <add name="String" namespace="String" /> </headers> <identity> <certificate encodedValue="String" /> <certificateReference findValue="String" isChainIncluded="Boolean" storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher" storeLocation="LocalMachine/CurrentUser" X509FindType="System.Security.Cryptography.X509certificates.X509findtype" /> <dns value="String" /> <rsa value="String" /> <servicePrincipalName value="String" /> <usePrincipalName value="String" /> </identity> </issuer> <issuerMetadata address="String"> <headers> <add name="String" namespace="String" /> </headers> <identity> <certificate encodedValue="String" /> <certificateReference findValue="String" isChainIncluded="Boolean" storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher" storeLocation="LocalMachine/CurrentUser" x509FindType="System.Security.Cryptography.X509certificates.X509findtype" /> <dns value="String" /> <rsa value="String" /> <servicePrincipalName value="String" /> <usePrincipalName value="String" /> </identity> </issuerMetadata> <tokenRequestParameters> <xmlElement> </xmlElement> </tokenRequestParameters> </message> </security> <reliableSession ordered="Boolean" inactivityTimeout="TimeSpan" enabled="Boolean" /> <readerQuotas maxArrayLength="Integer" maxBytesPerRead="Integer" maxDepth="Integer" maxNameTableCharCount="Integer" maxStringContentLength="Integer" /> </binding> </wsFederationBinding>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
|bypassProxyOnLocal||A Boolean value that indicates whether to bypass the proxy server for local addresses. The default is
|closeTimeout||A TimeSpan value that specifies the interval of time provided for a close operation to complete. This value should be greater than or equal to Zero. The default is 00:01:00.|
|hostnameComparisonMode||Specifies the HTTP hostname comparison mode used to parse URIs. This attribute is of type HostNameComparisonMode, which indicates whether the hostname is used to reach the service when matching on the URI. The default value is StrongWildcard, which ignores the hostname in the match.|
|maxBufferPoolSize||An integer that specifies the maximum buffer pool size for this binding. The default is 524,288 bytes (512 * 1024). Many parts of Windows Communication Foundation (WCF) use buffers. Creating and destroying buffers each time they are used is expensive, and garbage collection for buffers is also expensive. With buffer pools, you can take a buffer from the pool, use it, and return it to the pool once you are done. Thus the overhead in creating and destroying buffers is avoided.|
|maxReceivedMessageSize||A positive integer that specifies the maximum message size, in bytes, including headers, that can be received on a channel configured with this binding. The sender of a message exceeding this limit will receive a SOAP fault. The receiver drops the message and creates an entry of the event in the trace log. The default is 65536.|
|messageEncoding||Defines the encoder used to encode the message. Valid values include the following:
- Text: Use a text message encoder.
- Mtom: Use a Message Transmission Organization Mechanism 1.0 (MTOM) encoder.
The default is Text.
This attribute is of type WSMessageEncoding.
|name||A string that contains the configuration name of the binding. This value should be unique because it is used as an identification for the binding. Starting with .NET Framework 4, bindings and behaviors are not required to have a name. For more information about default configuration and nameless bindings and behaviors, see Simplified Configuration and Simplified Configuration for WCF Services.|
|openTimeout||A TimeSpan value that specifies the interval of time provided for an open operation to complete. This value should be greater than or equal to Zero. The default is 00:01:00.|
|privacyNoticeAt||A String that specifies a URI at which the privacy notice is located.|
|privacyNoticeVersion||An integer that specifies the version of the current privacy notice.|
|proxyAddress||A URI that specifies the address of the HTTP proxy. If
|receiveTimeout||A TimeSpan value that specifies the interval of time provided for a receive operation to complete. This value should be greater than or equal to Zero. The default is 00:10:00.|
|sendTimeout||A TimeSpan value that specifies the interval of time provided for a send operation to complete. This value should be greater than or equal to Zero. The default is 00:01:00.|
|textEncoding||Sets the character set encoding to be used for emitting messages on the binding. Valid values include the following:
- BigEndianUnicode: Unicode BigEndian encoding.
- Unicode: 16-bit encoding.
- UTF8: 8-bit encoding
The default is UTF8. This attribute is of type Encoding..
|transactionFlow||A Boolean value that specifies whether the binding supports flowing WS-Transactions. The default is
|useDefaultWebProxy||A Boolean value that indicates whether the system’s auto-configured HTTP proxy is used. The proxy address must be
|<security>||Defines the security settings for the message. This element is of type WSFederationHttpSecurityElement.|
|<readerQuotas>||Defines the constraints on the complexity of SOAP messages that can be processed by endpoints configured with this binding. This element is of type XmlDictionaryReaderQuotasElement.|
|<reliableSession>||Specifies if reliable sessions are established between channel endpoints.|
|<bindings>||This element holds a collection of standard and custom bindings.|
Federation is the ability to share identities across multiple systems for authentication and authorization. These identities can refer to users or to machines. Federated HTTP supports SOAP security as well as mixed-mode security, but it does not support exclusively using transport security. This binding provides Windows Communication Foundation (WCF) support for the WS-Federation protocol. Services configured with this binding must use the HTTP transport.
Bindings consist of a stack of binding elements. The stack of binding elements in
wsFederationHttpBinding is the same as that contained in
wsFederationHttpBinding controls the details of the message security settings in <message>. Note that the <security> element provides get access only as the security used by the binding cannot be changed once the binding is created.
wsFederationHttpBinding also provides a privacyNoticeAt attribute to set and retrieve the URI at which the privacy notice is located.
Keeping policy secure is especially important in federation scenarios. The recommendation is to use some form of security, such as HTTPS, to protect the policy from malicious users.
In federation scenarios using this binding, the service policy potentially has important information such as the key to use to encrypt the issued (SAML) token, the type of claims to put in the token, and so forth. If this policy is tampered with, an attacker could discover the key of the issued token leading to further tampering, info disclosure and other malicious behavior. To help prevent this, the policy must be obtained securely (for example using HTTPS) from the service.
For more information on this binding, see How to: Create a WSFederationHttpBinding.
<configuration> <system.ServiceModel> <bindings> <wsFederationHttpBinding> <binding bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="WeakWildcard" maxReceivedMessageSize="1000" messageEncoding="Mtom" proxyAddress="http://foo/bar" textEncoding="Utf16TextEncoding" useDefaultWebProxy="false"> <reliableSession ordered="false" inactivityTimeout="00:02:00" enabled="true" /> <security mode="None"> <message negotiateServiceCredential="false" algorithmSuite="Aes128" issuedTokenType="saml" issuedKeyType="PublicKey"> <issuer address="http://localhost/Sts" /> </message> </security> </binding> </wsFederationBinding> </bindings> </system.ServiceModel> </configuration>