Search code examples
wcfweb-config.net-4.5sts-securitytokenservicews-federation

Stuck in a Authentication redirect loop - STS/WIF

Using VS2012 .Net Framework 4.5, I created a WCF Service Application with Local STS, using Identity and Access Plugin. My goal is to be able to authenticate using the browser. What I did so far:

  • Added WSFAM and SAM modules.
  • Used Fiddler to make sure that I'm getting redirect properly
  • Made sure that FedAuth[] cookies are created.

Right after the cookies are created (SAM) I'm being redirected again back to the STS. This is where I get stuck in a loop.

WCF and Web Services is quite new to me, sorry if I elaborated too much...

Here's my web.config:

    <?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
    <authentication mode="None" />
    <pages validateRequest="false" />
    <httpRuntime targetFramework="4.5" />
    <compilation debug="true" targetFramework="4.5" />
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the value below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials useIdentityConfiguration="true">
            <!--Certificate added by Identity and Access Tool for Visual Studio.-->
            <serviceCertificate findValue="CN=localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />
    </protocolMapping>
    <bindings>
      <basicHttpBinding>
        <binding name="MyBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfFAMTest.Service1">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="MyBinding" contract="WcfFAMTest.IService1" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    </modules>
    <directoryBrowse enabled="true" />
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://localhost:53655" />
        <add value="http://localhost:53655/Service1.svc" />
      </audienceUris>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
        <trustedIssuers>
          <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
        </trustedIssuers>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:15937/wsFederationSTS/Issue" realm="http://localhost:53655" reply="http://localhost:53655" requireHttps="false" />
      <cookieHandler requireSsl="false" />
    </federationConfiguration>
  </system.identityModel.services>
  <appSettings>
    <add key="ida:FederationMetadataLocation" value="http://localhost:15937/wsFederationSTS/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:ProviderSelection" value="localSTS" />
    <add key="ida:EnforceIssuerValidation" value="false" />
  </appSettings>
</configuration>

Fiddler Fiddler

Response #10108 - sets the FedAuth cookies and redirects to the resource Response #10108 - sets the FedAuth cookies and redirects to the resource Request #10109 - request to the redirected resource, using the given cookies. Request #10109 - request to the redirected resource, using the given cookies Response #10109 - Result 401, redirected to STS again at #10111 Response #10109 - Result 401, redirected to STS again at #10111

Solution

  • I was using WCF Web Service which doesn't support these modules. Switched to ASP.Net Web Application, configured same way, works perfectly.