I am creating an Active STS that authenticates RST using issued tokens (SAML1, SAML2) and issues BinarySecurityTokens. This is working fine for .net clients. However, RST from Java clients (code, SOAP UI etc), we get following exception-
<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Access is denied.</Message>
at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)...
I suspect the issue is with serviceAuthorization for the binding. However, I could not find any documentation on configuring authorization for Claims Based authentication. Here is my configuration - behavior-
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="WSTrustServiceBehaviour">
<serviceCredentials useIdentityConfiguration="true" identityConfiguration="STSIDConfig">
<issuedTokenAuthentication audienceUriMode="Never" certificateValidationMode="None">
</issuedTokenAuthentication>
</serviceCredentials>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="Always" />
</behavior>
</serviceBehaviors>
binding
<ws2007FederationHttpBinding>
<clear/>
<binding name="WS2007FedttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey">
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
Service-
<service behaviorConfiguration="WSTrustServiceBehaviour" name="CustomSTS">
<endpoint name="WSTrust13HttpEndpoint" address="" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FedttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
Pls let me know what is missing
It appears that ws2007FederationHttpBinding requires RST to have WS-Addressing headers and the access denied error was occuring due to WS-Addressing headers were missing for requests coming from java clients. I didn't find an option to disable WS-Addressing for ws2007FederationHttpBinding so for now we have requested clients to add WS-Addressing headers.