Federation and Configuration Service

Question

 

This is absolutely great but I'm wondering about services protected by other WCF-based Security Token Services (STSs) using federation bindings. Will this allow for such scenarios where a client authenticates via ClientCredentials to a service protected by STS which has follows membership provider model for authentication? What are some high-level steps that would be needed to take existing such services and convert them over to utulize the Configuration Service and other components?

 

Any help is appreciated.

Answer 1

At a minimum,  would need to add support for wsFederationHttpBinding.  This part is easy.  I will need to test out, however, before I know what else may be required.  When I test, is there a specific sample (in Windows SDK or elsewhere) for Federation binding that I should use that would closely emulate your environment?  Or, can you provide me sample bindings, config-driven descriptions you use now?  In general, if STS details, endpoint identities, service behaviors and endpoint behaviors are specified in config (and I believe all can be); then this scenario may be possible without further changes other than adding wsFederationHttpBinding as a supported binding type, which I can do; but again until I test out scenario, I can't be 100% sure.  So the more details you can provide, the better...If not everything is specified in config, for most everything there are callbacks to (via code): change service descriptions/add code-driven behaviors on service side; and capture/modify client ChannelFactory properties (or DuplexChannelFactories) as they are created by ConfigService, on an endpoint-to-endpoint basis....so I think can work, but again until I go through the excersise myself, "I do not know what I don't know".....

 

-Greg

 

Answer 2

Completely understand. Although Zermatt is an up and coming way of creating STS services, many currently deployed systems use their own Security Token Services with wsFederationHttpBinding. Ours and I'm sure many other scenarios are based on custom Security Token Services which are published all over the place but the one that most likely resembles ours can be found here @ http://www.thatindigogirl.com/ct.ashx?id=722d57dc-d8fd-44a5-88a7-00c13cd25394&url=http%3a%2f%2fwww.thatindigogirl.com%2fdownloads%2fLearningWCFVS2008.zip

 

We also do utilize custom attributes that we created for various behaviors like object pooling and custom security attributes are all code based so not sure how that plays out.

 

Once downloaded, go to the following directory LearningWCF\Samples\Security\ClaimsBased\ClaimsBasedAuthorizationWithFederation and you will find a complete solution.

 

I hope that answers your question and I hope it's possible.

Answer 3

I will look at.  As far as custom attributes/code based config of services and/or service operations, this should be fine, Config Services does not dictate any of this; and in fact StockTrader services themselves all use a combination of code-based attributes (for example, a DispatchByBody behavior for interop with WebSphere) and custom config-based behaviors etc....So I will look at,

Greg

Answer 4

I am in the process tonight (and maybe next few days) of testing and hopefully adding your scenario (federated security/STS) based on the sample code you posted.  I believe this is the only core scenario that I have not tested/added to Config Service--so will be a learning experience for me--thank you!  We will see how it goes....If all goes well, will post an update to the download that will support--cannot make commitment on timeline.  In no way will this update break any existing implementations on 2.02; just added functionality with notes/updates to docs on how to setup/configure.  My goal, as always, is to keep the fact you are hosting Config Service from any way interfering with all of the rich options WCF itself supports.

 

I may have additional questions from you as I delve into.....

 

-Greg

 

Answer 5

Great. Hopefully it'll go well.

 

So it looks like having custom attributes will not cause any issues, but what about about clients that use custom classes that extend the ClientBase<T> class. We have a custom class where we are able to pass in information via the header from the client to the server. I've seen that you have to extend a class in order to fully get the Configuration power. Looks like we have to choose your base class or ours unless you know of a different way. I can provide you an example, but it's the type of information that does not belong in a data contract or the actual operation and simply passes some other security information via a custom header via an extend ClientBase<T> class.

Answer 6

You could do the same with the ConfigService-generated client----modify extend however you want/need, including with a class that makes it easy to generate a custom header. 

 

I am able to pass custom headers using the Config-Service-generated client simply via:

 

1) Choosing client class constructor to create unique channel instance (this assumes header will be different on a per-request basis).

 

2)  Adding header in use of client per normal technique.  Example below:

 

//Instantiate our client, passing in the name of the Hosted Service (endpoint) we are connecting to.

SimpleServiceClient myClient = new SimpleServiceClient("Simple Service wsHttp",true);

using (OperationContextScope scope = new OperationContextScope(((IContextChannel)myClient.Channel)))

{ // The servicecontext is set and will exist for the duration of the operationscope

MessageHeader header = MessageHeader.CreateHeader("Header1", "myNamespace", "HHHH");

OperationContext.Current.OutgoingMessageHeaders.Add(header);

//Call the remote service operation.

string theReturnMessage = myClient.SayHello(myMessage);

//This just cleans up the line breaks for HTML display, since the service host also displays

//in Console, it has newline \n sequences on return, we will replace with HTML line breaks;

Label1.Text = "Simple Service Returned Message is: " + theReturnMessage.Replace("\n", "<br/>");

myClient.Close();

}

 

You could add some sort of custom class within your client (extending the generated client class at will) with more sophisticated logic/data types for creating the header as well.

 

3)  I have also added support for wsFederatedHttpBinding; although I have not tested an end-to-end STS scenario; I plan to, and I believe should work; I believe I can publish the update next week or 2 as V2.0.2.1.  Any updates to specific Config Service source files are now noted in comments in the files themselves.

 

-Greg

Answer 7

Thanks Greg.

 

I'm just worried about not utilizing ClientBase<T> as too many clients have already been deployed and are relying on the aforementioned class. Hope all is going well on the federated scenario. Let me know if you need help setting it up. The certificates are the only painful aspect of the whole setup.

Answer 8

Greg, any status on federation? Any issues?

Answer 9

I have a build that incorporates all that is needed, I believe.  But I am holding for a couple of other updates, do you have a timeline when needed?

 

Also, as mentioned when 2.02 went out, new releases from here on out will all be Visual Studio 2008 solutions....

 

-Greg

 

Answer 10

No timeline and 2008 is even better.

Answer 11

Hi,

I'm also anxiously anticipating this update with federated security baked in. I'm surprised it was left out of the original release to be honest - you've been pretty thorough with everything else. Sooner is better though.

Thanks, and keep up the good work.

Jimit Ndiaye.

Answer 12

version 2.03 should be posted on MSDN tomorrow, with this in.  Was supposed to go up today, but apparently did not.  But I have sent it to be posted.

 

Answer 13

Thanks Greg, will check it out once posted. I'm assuming it's documented somewhere.

 

Not to throw you any more curve balls, but have you also done any testing with the new Geneva framework? Microsoft was kind enough to completely redesign the claims based modules as I concur with the concerns outlined here as well. So thank you for implementing the so-called legacy WCF Federated implementation even though it's barely 2 years old and wondering if it'll work with Geneva (previously called Zermatt). And yes, it's me being sarcastic and frustrated at the same time.

Answer 14

I will.  I want to do an example app and perhaps post on my blog.  I have not yet tested with Geneva, but believe will work with 2.03 (which is not yet on forum but I am told will be later today).  On the service host side, besides the new identityModel config section, it will also be required to do a simple override of the WCF ConfigurationActions method AfterCreateServiceHostBeforeOpen and make sure to initialize the geneva framework here, I believe.  This method is available for both IIS and non-IIS hosted services.  So I think will work, but I do need to work through an example.  If any changes are required to config service itself, I will make and post an update...

 

-Greg

 

Answer 15

OK.  I tested with the Geneva Framework, and have this working with Config Services including across load balanced nodes working with the sample Secure Token Service for the bookstore sample that ships with the Geneva Framework.  I did have to make a few adjustments in Config Service, and hence the delay with posting 2.03 (which was delayed anyway due to an issue with MS download sites/code signing).  At any rate, I really hope the 2.03 download goes up on Web tomorrow (pending time it takes to get signed, go through MSDN posting process).

 

To test this, I used the Federated Security for Web Services sample that ships with the latest Geneva SDK.  I basically used the More Interesting Test Harness, Service B, to swap out service B for the Geneva SDK sample service. 

 

I think I should write this up in a short paper; as there are some steps; including making sure Config Service client gets the right address headers expected, and the STS does not reject destination addresses that are not based on "localhost" (the sample is designed to run against a single service node, at localhost). 

 

At any rate, it works (with upcoming 2.03 build)!

 

-Greg

Answer 16

Looking forward to test it. Just going through the geneva sdk samples.

 

I hope you can provide sample steps for federated security with home realm-STS, rp-STS and RP, which use UserName Password authentication.

Regards

SKBG

Answer 17

Greg,

 

tell me something - suppose we have to use sql membership & roles for authentication & authorization along with STS, should we implement our own custom identity-provider or Active-STS ? I'm a bit confused as to where we implement the membership user-name password validation when using user-name password credentials for auth & roles and issue STS tokens required by a relying-party. I mean in the Federation for Web Services sample, suppose the Home-Realm STS was to use sql-membership, then what would happen, Do we simply define the serviceBehavior for the HomeRealmSTS service to use sqlmembership provider along with end-point binding to use message security ?

 

I know the geneva-server can have IP's like AD DS, ADAM, AD LS. But supposing we have sql-membership within our organization and want to authenticate users against it before sending their Tokens with claims to the STS, whats the approach. I know this is not the right place to ask this Q, but i'm sure you may have had your thoughts on this.

I'm currently checking these out, let me know if i'm on right track:

http://www.leastprivilege.com/UsernamePasswordValidationWithGeneva.aspx

http://msdn.microsoft.com/en-us/magazine/2009.01.genevests.aspx

 

Regards

Satish

 

Answer 18

Great. A short paper would definitely help. You may want to post a sample project as well just to make your documentation complete . Joking aside, it would help a lot.

Answer 19

Greg, is there really something you can post? You said you got it working with both samples (my provided sample) and geneva. Is it something I can download? Otherwise, honestly, whatever you did which is indeed usefull is proving to be useless if no one else knows how to (re)create.

 

Let me know if it's possible to download it from somewhere.

Answer 20

I will work on. 

 

Will take me a bit of time to do right (screen shots/step by step as I like to do) given a bunch of other stuff related to StockTrader I am working on right now; and a couple of big events I am preparing for this month.  But I will try to get this done over next 2 weeks.

 

Basically, I used the Geneva STS sample provided in the Geneva SDK kit.  There are some steps required to get right--both on the host side, and if using the ConfigService generated client, on the client side as well. 

 

-Greg

 

Answer 21

I hope to start the step-by-step this weekend; we will se how quickly I can complete.  Its a bit crazy right now becuase of a ton of perf/scale testing I am doing at same time that will all hopefully make its way to MSDN in next 3-4 weeks or so, and I think prove interesting for folks.  And as always, interop with Java is a part of this....

 

-Greg

 

Answer 22

this also is kinda cool becuase it shows how to use the Config Service Load Balancing Client with custom SOAP Headers/the STS stuff etc on a per request (or per Channel Instance basis); and leads naturally into an oft-mentioned topic on this forum regarding a potential marriage of point-to-point dispatching for load balancing and failover/dynamic load balancing (high perf) in conjunction with message routing ala MSE and "Dublin" in future; something I hope to really dig into as soon as I complete the new benchmark results center for MSDN (which is involving an extensive array of testing of hosting models; binding options/security models as well as some cool vertical scaling data for CLR/.NET 3.5 on up to 16-core systems as part of a new HP BladeSystem C7000 I am working with.

 

Also requests to update ConfigWeb to cooler UI via SilverLight and/or ASP.NET MVC architecture.....no shortage of stuff to do; all possible in .NET Framework 100% managed code; but takes time and planning.....

 

For now know I have tested the Geneva Framework with Config Services 2.03/made appropriate updates; and believe based on my testing all is there in current version to support any WCF security scenario; I just, as you point out; need to complete a step-by-step example/tutorial to show folks how to do....

 

-Greg

 

Answer 23

 

Definitely no shortage of planned tasks. I will await any sort of instructions.

Answer 24

Greg, is it possible for you to post the geneva framework/configweb combination somewhere?

Answer 25

I am going to try to finish this up by end of this week...Sorry for delay....

-Greg

---

Greg Leake, Microsoft

Answer 26

Thanks. I'm hoping to get my hands on it by end of this week so I can do a demo by Monday. Preferrably the one with a username/pwd authentication (Message security of type UserName).

Answer 27

Well, I have an almost-complete version of the document (draft) posted on my SkyDrive at:

http://cid-32827faac32acba3.skydrive.live.com/self.aspx/Public/ConfigService-Geneva.docx

This steps through the Geneva Framework sample that is the BookStoreService; an end-to-end sample for federated security using the Geneva Framework.  The sample the Geneva Framework SDK (Beta, downloadable from MSDN) provides is the more complex sample, but most interesting.  The tutorial I am putting together (link above for draft doc) steps through how to host the bookstore service using Configuration Service.

The part still missing is doing a full walkthrough of how to consume the book store service from a Config-generated client within a client app that implements the Configuration Service.  The last part of the document above provides the basic steps for this missing part, but not step-by-step/screen shots.  I am trying to get this document into the 2.04 release I am finishing up...

-Greg

---

Greg Leake, Microsoft

Answer 28

great. Thanks Greg.

Answer 29

Thanks Greg!

- SKBG

Answer 30

Greg,

This documentation didn't seem to have made it into the 2.0.4 release. Where can I find the finished doc?

Regards,

Jimit

---

Jimit Ndiaye

Answer 31

Hi Greg

You write here (three years ago) about MVC architecture. I think you mean to bring the ConfigWeb to a higher level.

Are there any issues about using ConfigServices in a MVC web application?

Thanks for your answer

Mat

Answer 32

No---it can be freely used in an MVC app--it really does not matter what the host program does.  ConfigWeb itself is not MVC; and that would be a good thing to do in future release---clean up the UI to an MVC implementation.  On that note, however, there will shortly be a StockTrader 6.0 that will have a new HTML 5 interface, and that does use MVC pattern for ASP.NET.  It will feature HTML5, and mobile clients for Android, WP7 and IPhone; with native interfaces but about 70% common code across devices (mono--all code is C# on all devices; compiles to native for each device).  A metro win8 UI (that attaches to same backend services over a secure REST interface) will also be part of this.  ConfigService will get some updates as well, but not major ones; but you can implement in a host program (ala coming StockTrader 6 MVC + HTML5 app) using MVC.

---

Greg Leake, Microsoft

Answer 33

Hi Greg

We are using Windows Identity Foundation in our Azure WebRoles. And we have implemented ConfigurationServices in our Azure WebRoles and in our web services which run on premise.

Have you a manual how to bring that security token to the web services? The link above does not work anymore. I've seen some code about extending the client, using another binding and extending ConfigurationActions. Does that do the job?

Thanks for your answer
Mat