WIF (using Thinktecture Identity Server) and Duplex WCF Channels

Question

I am currently using Thinktecture Identity Server Version 2.4 and Windows Identity Foundation to secure communications between .net application and server using issued tokens.

I have this working over a standard WCF NET TCP channel by exposing a federated endpoint and using the “CreateChannelWithIssuedToken(SecurityToken)” method of the channel factory to supply the security token returned from the Issue request.

However there appears to be no equivalent method for the DuplexChannelFactory that allows us to pass in an Instance context. I have read this article - http://msdn.microsoft.com/en-us/library/cc668765(v=vs.110).aspx – which details how to create the duplex bindings to achieve this, however when creating the channel I can see no way of setting the security token on the channel.

There is the IssuedToken Property - http://msdn.microsoft.com/en-us/library/system.servicemodel.description.clientcredentials.issuedtoken(v=vs.110).aspx - on the client credentials, however it’s read only.

Has anyone achieved federated security over duplex channel using TCP message security mode who could offer some advice?

Answer 1

Although manually creating the channel and issuing the token yourself with the STS isn't wrong, you can take advantage of the WIF framework to do this for you.

If you configure your client through configuration to be aware of the STS, the framework will retrieve the token itself using the message credentials you set on the channel. The framework will then set the "IssuedToken" property on the credentials of the channel.

<ws2007HttpBinding>
    <binding name="ws">
      <security mode="TransportWithMessageCredential">
        <message establishSecurityContext="false"
          negotiateServiceCredential="true"
                 clientCredentialType="UserName" />
      </security>
    </binding>
</ws2007HttpBinding>
<customBinding>
    <binding name="FederationDuplexTcpMessageSecurityBinding">
      <reliableSession />
      <security authenticationMode="SecureConversation">
            <secureConversationBootstrap authenticationMode="IssuedTokenForSslNegotiated">
                <issuedTokenParameters>
                    <issuer address="https://IdentityServer.domain/issue/wstrust/mixed/username" binding="ws2007HttpBinding" bindingConfiguration="ws" />
                    <issuerMetadata address="https://IdentityServer.domain/issue/wstrust/mex" />
                    <additionalRequestParameters>
                        <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                              <Address>RelyingParty.com</Address>
                            </EndpointReference>
                        </wsp:AppliesTo>
                    </additionalRequestParameters>
                </issuedTokenParameters>
            </secureConversationBootstrap>
        </security>
    <tcpTransport />
    </binding>
</customBinding>

The code snippet above shows how you can create a duplex channel using a Secure Conversation and a secureConversationBootstrap to take care of federated security.

One advantage of this is you can also setup your own relying party URI, so you don't have to use the WCF endpoint as your relying party's identifier.

You would also need to set up the federated service behaviour to enable WIF as follows (useIdentityConfiguration is important, as it turns WIF on):

<behavior name="FederatedServiceBehaviour">
  <clientCredentials useIdentityConfiguration="true" supportInteractive="false" >
    <serviceCertificate/>
  </clientCredentials>
</behavior>

setting up the service endpoint is documented here: http://msdn.microsoft.com/en-us/library/cc668765(v=vs.110).aspx (to a degree)

As far as I can see the DuplexChannelFactory itself exposes no method for creating channels with issued tokens while passing through the instance context.

Hope this helps!