How to call STS from with in a WCF Service

Question

I am trying to implement a Custom STS which acts as a centralized PDP (Policy Decision Point) server (Authentication and Authorization). I am doing this because the security policies that I am planning to implement are temporary and may often need changes according to business needs.

When I was implementing this solution I had no clue as to how to call the STS from within my WCF service to return a token that has all the security attribute claims in it. I referred to some of the sample solutions that come along with Learning WCF book but the sample there queries the STS only once and gets a token that has both identity and attribute claims. In my case, I would like to query the authentication claims first (from the client) and then the authorization claims from with in the WCF Service. Can someone give me guidelines on how to implement this?

Also, I am having a hard time understanding how to implement Custom STS myself which is tailor-made for my company’s requirements. I consulted the Applied SOA book by Michael Rosen et al and they advice a security architect to be very familiar with the standards; which looks like a real time consuming task. I also consulted the WCF Security Guide in Microsoft Patterns and Practices website but did not find much information on how to implement custom STS. So, I am lost in a plethora of resources not knowing how to make sense of them all. I would really appreciate if someone can guide me here as well.

Answer 1

Hello venkatesh_g_2007,

Microsoft Geneva (now known officially as the Windows Identity Foundation) has support for creating an STS. They actually make it pretty easy to build a new test STS right from Visual Studio when creating a new Project. I'm sure you'd need to beef it up to make it "production ready" but I would at least check it out even if only for a learning tool. Try doing some MSDN searches for Geneva and you'll find some nice links. Also check out the Geneva Team Blog (http://blogs.msdn.com/card/default.aspx).

Geneva actually has multiple components to it. One component is the Geneva Framework which is actually a set of classes, etc. that allow you to create an STS, create a service that relies on an STS, etc. They also have Geneva Server which is a Microsoft built STS that you can configure and use without coding your own. I haven't used that but you'll probably find some references to it -- I just wanted to distinguish those two pieces to avoid confusion when you're seeing references to Geneva.

Good luck.

Answer 2

Microsoft will release a framework for STSes and token/claims handling at PDC - you can download the beta here:

http://www.microsoft.com/wif

This also included a standard hook to load authorization policies from inside a WCF service.

To get started with writing an STS have a look at the SDK - or go to 

http://startersts.codeplex.com

This is a fully functional STS which is supposed to be a learning tool.

hth

dominick

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 3

Dominic & JS,

Thank you. That gives me headstart. I have started going through the resources.