tags:

views:

49

answers:

1
Q: 

WCF Web Service and Data Service using SAML

I have WinForms and ASP.Net applications that need to access WCF Web and Data services using a SAML token.

I've been looking at Windows Identity Foundation (WIF) to enable the WCF service to use SAML tokens from an STS-IP.

On the client, do I make a call to the STS and get a SAML token, then pass the token to the WCF service? if so, how do I get the token then pass it to WCF?

or

Does the client pass the credentials (username/password) of the user to the WCF web service, which gets a SAML token and does its thing?

My understanding is WCF Data Services uses REST. So how does SAML work with REST?

+1  A: 

The SAML token can be retrieved via WS-Trust in an active client scenario (WinForms). WS-Trust describes some services which an STS offers to get a token (Request for Security Token, RST). The token gets signed for the relying party (WCF service) and can be passed to it via an WS-Securtiy header. Of course some kind of credentials have to be passed to the STS to get a valid token first hand.

In the passive scenario (ASP.Net) it is a bit different. Most commonly the web app handles its user authentification using a STS. So the user has a valid associated SAML token. WS-Trust is used to get a token valid for the relying party. Then same procedure than above.

The relying party (WCF service) only handles request with a valid SAML token. It never gets a token for a user. After all passing username/password and handling authentification there is exactly what you want to avoid with claim based identity ;-)

I guess you take a look at "A Guide to Claim-Based Identity and Access Control from MS. Of course WS-Trust/WS-Security are used with SOAP web services.

spa  2010-07-25 09:40:13
Thanks for the link and information. I'm still not clear on how the client (either WinForms or ASP.Net web app) would pass the token to the WCF Web Service. Also, how this would work with REST and WCF Data Services.
MediaSlayer  2010-07-26 11:13:17
According to http://www.leastprivilege.com/SecuringWCFDataServicesUsingWIF.aspx, it appears to be a rather manual process.
spa  2010-07-27 15:18:02

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability