tags:

views:

71

answers:

1
+2  Q: 

Unsigned SAML 2.0 Support for WCF on .Net 4.0

Hi All,

Can someone please let me know if unsigned SAML 2.0 or 1.1 is natively supported on WCF .Net 4.0. I know that Signed SAML 1.1 is natively supported on WCF and SAML 2.0 is natively supported on WIF but I am not able to find any material regarding unsigned SAML.

+1  A: 

Not natively. The out of the box SAML 1.1 and SAML 2.0 token handlers sign the tokens. To supoort unsigned tokens you need to create your own token handlers that inherit from 

Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler

override the signiture creation/validation methods, there is a bunch of them, and do nothing in your case. The problem is that you need to control the STS services that issue tokens to you as well which might be difficult if they are not under your control.

Cosmin Onea  2010-09-18 07:03:25
Thanks a lot for your reply.
rauts  2010-09-20 10:04:32
Good News is that we will be creating a on premise STS service over which we can full control. So if i understand correctly, I can create SAML 1.1 and 2.0 signed and unsigned Tokens. And if i need to support Unsigned 2.0 tokens, i will have to create my own token handlers as u mentioned. Do you have any sample code for this implementation? Thanks a lot again.
rauts  2010-09-20 10:06:48
Unfortunately I have no sample code for this, but look at the classes themselves and look at the overridable methods to understand where you need to plug in your code. What I would do is override all methods, just call the base impl in overrides, and set breakpoints in them to see what the flow of processing the token is. Hand craft an unsigned token and pass it to your service and see what method breaks and fix it by simply returning. This is in no way a security design advice :). Can I ask why you dont want to sign the tokens?
Cosmin Onea  2010-09-20 12:35:55
There are use cases where I have to support Unsigned SAML tokens as well. the Service request would be signed anyways so signing the SAML token would add an overhead. So we have to support unsigned SAML tokens as well.
rauts  2010-09-21 08:17:55
Allright, I have not done this before myself, but you need to play with the guts of the token handlers.
Cosmin Onea  2010-09-21 08:51:12
Thanks for all the information. I think i will be able to close this with all the pointers u have provided.
rauts  2010-09-21 09:00:23

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability