Built-in Bindings Overview

  • Article

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Windows® Identity Foundation (WIF) provides the following built-in bindings to make it easier to communicate with Active Directory® Federation Services (AD FS) 2.0:

UserNameWSTrustBinding

UserNameWSTrustBinding authenticates the client with a username and password. By default, this uses message-level security and WS-Trust 1.3. The following code snippet shows how to create and configure this binding:

// TrustFeb2005UserNameMessage:
UserNameWSTrustBinding userNameTrustFeb2005MessageBinding = new UserNameWSTrustBinding();
userNameTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

CertificateWSTrustBinding

CertificateWSTrustBinding authenticates the client with a certificate. By default, this uses message-level security and WS-Trust 1.3. The following code snippet shows how to create and configure this binding:

// TrustFeb2005CertificateMessage:
CertificateWSTrustBinding certificateTrustFeb2005MessageBinding = new CertificateWSTrustBinding();
certificateTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

WindowsWSTrustBinding

WindowsWSTrustBinding authenticates the client with Simple and Protected GSSAPI Negotiation Mechanism (SPNego). By default, this uses message-level security and WS-Trust 1.3. The following code snippet shows how to create and configure this binding:

// TrustFeb2005WindowsMessage:
WindowsWSTrustBinding windowsTrustFeb2005MessageBinding = new WindowsWSTrustBinding();
windowsTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

KerberosWSTrustBinding

KerberosWSTrustBinding authenticates the client with Kerberos. By default, this uses transport with message credential security and WS-Trust 1.3. The following code snippet shows how to create and configure this binding:

// TrustFeb2005KerberosMixed:
KerberosWSTrustBinding kerberosTrustFeb2005MixedBinding = new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential);
kerberosTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

IssuedTokenWSTrustBinding

IssuedTokenWSTrustBinding authenticates the client with an issued token. The following code snippet shows how to create and configure this binding:

// Trust13IssuedTokenAsymmetricBasic256:
IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding();
issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

Note that this binding does not support the following scenarios:

  • Bearer token with message-level security.

  • Asymmetric key type with transport-level security.

  • Bearer token with WS-Trust 2005.

The following code sample lists the endpoints exposed by Active Directory® Federation Services (AD FS) 2.0, and shows how to set up the appropriate binding:

/** WS-Trust 2005 endpoints **/

// TrustFeb2005WindowsMessage:
WindowsWSTrustBinding windowsTrustFeb2005MessageBinding = new WindowsWSTrustBinding();
windowsTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005WindowsMixed:
WindowsWSTrustBinding windowsTrustFeb2005MixedBinding = new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);
windowsTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005WindowsTransport:
WindowsWSTrustBinding windowsTrustFeb2005TransportBinding = new WindowsWSTrustBinding(SecurityMode.Transport);
windowsTrustFeb2005TransportBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005CertificateMessage:
CertificateWSTrustBinding certificateTrustFeb2005MessageBinding = new CertificateWSTrustBinding();
certificateTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005CertificateMixed:
CertificateWSTrustBinding certificateTrustFeb2005MixedBinding = new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);
certificateTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005CertificateTransport:
CertificateWSTrustBinding certificateTrustFeb2005TransportBinding = new CertificateWSTrustBinding(SecurityMode.Transport);
certificateTrustFeb2005TransportBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005UserNameMessage:
UserNameWSTrustBinding userNameTrustFeb2005MessageBinding = new UserNameWSTrustBinding();
userNameTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005UserNameMixed:
UserNameWSTrustBinding userNameTrustFeb2005MixedBinding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
userNameTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005UserNameBasicTransport:
UserNameWSTrustBinding userNameTrustFeb2005TransportBasicBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Basic);
userNameTrustFeb2005TransportBasicBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005UserNameDigestTransport:
UserNameWSTrustBinding userNameTrustFeb2005TransportDigestBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Digest);
userNameTrustFeb2005TransportDigestBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005KerberosMixed:
KerberosWSTrustBinding kerberosTrustFeb2005MixedBinding = new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential);
kerberosTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

/** WS-Trust 1.3 endpoints **/

// Trust13WindowsMessage:
WindowsWSTrustBinding windowsTrust13MessageBinding = new WindowsWSTrustBinding();

// Trust13WindowsMixed:
WindowsWSTrustBinding windowsTrust13MixedBinding = new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);

// Trust13WindowsTransport:
WindowsWSTrustBinding windowsTrust13TransportBinding = new WindowsWSTrustBinding(SecurityMode.Transport);

// Trust13CertificateMessage:
CertificateWSTrustBinding certificateTrust13MessageBinding = new CertificateWSTrustBinding();

// Trust13CertificateMixed:
CertificateWSTrustBinding certificateTrust13MixedBinding = new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);

// Trust13CertificateTransport:
CertificateWSTrustBinding certificateTrust13TransportBinding = new CertificateWSTrustBinding(SecurityMode.Transport);

// Trust13UserNameMessage:
UserNameWSTrustBinding userNameTrust13MessageBinding = new UserNameWSTrustBinding();

// Trust13UserNameMixed:
UserNameWSTrustBinding userNameTrust13MixedBinding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);

// Trust13UserNameBasicTransport:
UserNameWSTrustBinding userNameTrust13TransportBasicBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Basic);

// Trust13UserNameDigestTransport:
UserNameWSTrustBinding userNameTrust13TransportDigestBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Digest);

// Trust13KerberosMixed:
KerberosWSTrustBinding kerberosTrust13MixedBinding = new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential);

/** WS-Trust 1.3 Issued Token endpoints **/

IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding();

// Trust13IssuedTokenAsymmetricBasic256:
issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

// Trust13IssuedTokenMixedAsymmetricBasic256:
issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;
issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

// Trust13IssuedTokenMixedSymmetricBasic256:
issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;

// Trust13IssuedTokenSymmetricBasic256:


/** WS-Trust 2005 Issued Token endpoints **/

// TrustFeb2005IssuedTokenAsymmetricBasic256:
issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;
issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005IssuedTokenMixedAsymmetricBasic256:
issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;
issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;
issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005IssuedTokenMixedSymmetricBasic256:
issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;
issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

// TrustFeb2005IssuedTokenSymmetricBasic256:
issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;