WCF and Federation security options

Over the past couple of weeks, I have been working on understanding some of the latest options available for Windows Communication Foundation (WCF) and Federation security. In particular, I have looked at Kerberos authentication (where your Active Domain serves as your Secure Token Server (STS)) to give you seamless Single-Sign On (SSO). But, how do you leverage SSO if your users are outside of your domain? There are a couple of options:

1. WSFederationHttpBinding (renamed from WSFederationBinding in the Feb CTP to make it clear this only works over HTTP)

2. Active Directory Federation Services (ADFS)

ADFS looks pretty straight forward, but may be too heavy for what I was interested in doing. Today, I found this great simple example "Implementing a Secure token service with WCF" by Pablo M. Cibraro[found by way of Sam Gentile]. Pablo uses the username token for client authentication and an X509 certificate to encrypt and sign the server token.

Published Wednesday, March 15, 2006 2:51 PM by RHurlbut
Filed under: , , ,

Comments

Sunday, March 26, 2006 10:18 PM by Jim Lennox

# re: WCF and Federation security options

I just did this with a One Way trust on the AD's putting the users in the DMZ AD. I used a similar approach to compute authorization so that the Claims were not domain specific.
Monday, March 27, 2006 1:17 AM by Robert Hurlbut

# re: WCF and Federation security options

Great -- thanks, Jim.
Friday, May 26, 2006 1:55 PM by Sam Gentile

# How To: STS/Windows Authentication with ADAM/AD, Roles in AzMan with WCF

The last week I have been connecting up my seamless Single-Sign On with Windows Authentication scheme...
Wednesday, June 14, 2006 8:41 AM by Robert Hurlbut's .NET Blog

# WCF and Security solutions

I mentioned previously I worked on some security work with WCF. In March, I worked with Sam's team
to...