Search code examples
.netwcfwcf-security

wsFederationHttpBinding, passing custom user Identity to STS

I'm trying to implement following scenario:

  1. Client passes its cridentials to STS.
  2. STS applies custom AuthorizationPolicy to determine set of claims available to particular user and issues a secure token.
  3. Client passes the token to business services which determine user's priveleges basing on the set of claims they got from the token.

Looks like the first step is the main problem. As MSDN suggests message element of wsFederationHttpBinding doesn't have clientCredentialsType. As a result, whenever my AuthorizationPolicy examines evaluationContext.Properties["Identities"] it sees WindowsIdentity in it. I'd like to authenticate user against custom storage (DB).

Is there any way to accomplish it with wsFederationHttpBinding?

Solution

  • Well, here's the answer

    STS config:

    <behaviors>
     <serviceBehaviors>
         <behavior name="STSBehaviour">
             <!--Custom credentials processing-->
             <serviceCredentials>
                 <userNameAuthentication userNamePasswordValidationMode="Custom" 
                                         customUserNamePasswordValidatorType="SecurityTokenService.UserNameValidator, SecurityTokenService"/>
             </serviceCredentials>
             <!--------------------------------->
         </behavior>
    </serviceBehaviors>
</behaviors>
<bindings>
    <wsHttpBinding>
        <binding name="wsHttpUsername">
            ...
            <security mode="Message">
                <message clientCredentialType="UserName"
                         negotiateServiceCredential="false"
                         establishSecurityContext="false" />
            </security>
            ...
        </binding>
    </wsHttpBinding>
</bindings>
<services>
    <service behaviorConfiguration ="STSBehaviour"
               name="Microsoft.ServiceModel.Samples.SecurityTokenService" >
           ....
    </service>
</services>

    Username validator

    public class UserNameValidator : UserNamePasswordValidator
{
    public override void Validate(string userName, string password)
    {
        if (!VerifyCredentials(userName, password))
            throw new SecurityException("Invalid credentials");
    }
}