Federation Over TCP With WCF

Monday, April 21, 2008

One of the discussions that we had during the last summit with the rest of "Connected Systems" MVPs was the possibility of supporting a Federation Scenario over TCP in WCF. For many of us that scenario was possible in theory, but unfortunately no documentation or samples existed to support it. In fact, WCF only comes with pre-built binding for federation scenarios, the "WsFederationHttpBinding" binding, which is completely tied to Http.

For that reason, I decided to give it a shot and try to manipulate some custom bindings to use tcp instead of the common used http transport. One curios thing about TCP is that it requires security sessions (SecureConversation with requireSecurityContextCancellation equals to "True") in order to work fine. If you do not configure the binding with those security settings, WCF will throw a nice error message saying that the order of the binding elements is not correct. At the beginning I did not configure it in that way, and it took me sometime to figure out what the problem was, I would save some time with a better error description.

The resulting bindings for client, STS and the sample service were the following (In this sample, the client is authenticating against the service with a client certificate).

1. Client

</security>

</binding>

</identity>

</issuer>

</issuedTokenParameters>

</secureConversationBootstrap>

</security>

</binding>

</customBinding>

</bindings>

2. STS

</security>

</binding> </customBinding>

</bindings>

3. Sample Service

</issuedTokenParameters>

</secureConversationBootstrap>

</security>

</binding>

</customBinding>

</bindings>

It is not required that the STS and service use both TCP transport for communicating with the client, which is a cool thing because now we can combine different transports in a whole federation scenario. For instance, we can have a Http communication between the client and the STS, and a TCP communication with between the client and the final service.

The complete sample is available to download from here.

How can I add "TokenRequestParameters" to abinding, when I use NetTcpBinding instead of WsHttpFederationBinding?

Milan - Monday, April 28, 2008 3:05:33 PM

Can this extrapolated to deal with MSMQ backed WCF Services by simply changing the transport?

Scott - Thursday, October 30, 2008 3:33:59 PM

Hi Scott,

I haven't tried. I am not sure if it is going to work due to the fact that MSMQ is a one way channel.

Regards,
Pablo.

cibrax - Thursday, October 30, 2008 3:43:04 PM

Hi Scott,

That's pretty cool. So you could make it work with Msmq between the client and the final service ?.

Thanks
Pablo.

cibrax - Monday, November 3, 2008 7:37:25 PM

Hey Pablo,

So, in a real world scenario, how are you passing other types of client credentials to the service, such as a credential that would identify an individual user instead of the certificate identity?

Thanks!

John - Tuesday, March 31, 2009 9:36:15 AM

Hey Pablo,

Thanks for the example.

I tried to implement your solution on MS litware's solution.
It is little more complicated because the STS is seperated into
Authentication STS and Authorization STS, and its based on
Username password validation.

Do you have an example using UserName for Client Credential Type?

Thanks

Yaniv - Sunday, May 24, 2009 12:04:12 PM

Hi!
I have tried to adapt your sample solution to use http for communication with an STS, in my case the StarterSTS from CodePlex. It seems hard to get the configuration right, you don't happen to have an updated sample using the WIF (Geneva) SDK Beta 2?
/Per

persa - Thursday, September 24, 2009 2:27:55 PM

7 Comments