WIF, ADFS 2 and WCF–Part 1: Overview

Posted by Your DisplayName here! on Least Privilege See other posts from Least Privilege or by Your DisplayName here!
Published on Mon, 11 Oct 2010 12:40:58 GMT Indexed on 2010/12/06 17:00 UTC
Read the original article Hit count: 296

Filed under:

A lot has been written already about passive federation and integration of WIF and ADFS 2 into web apps. The whole active/WS-Trust feature area is much less documented or covered in articles and blogs.

Over the next few posts I will try to compile all relevant information about the above topics – but let’s start with an overview.

ADFS 2 has a number of endpoints under the /services/trust base address that implement the WS-Trust protocol. They are grouped by the WS-Trust version they support (/13 and /2005), the client credential type (/windows*, /username*, /certificate*) and the security mode (*transport, *mixed and message). You can see the endpoints in the MMC console under the Service/Endpoints page. So in other words, you use one of these endpoints (which exactly depends on your configuration / system setup) to request tokens from ADFS 2.

The bindings behind the endpoints are more or less standard WCF bindings, but with SecureConversation (establishSecurityContext) disabled. That means that whenever you need to programmatically talk to these endpoints – you can (easily) create client bindings that are compatible.

Another option is to use the special bindings that come with WIF (in the Microsoft.IdentityModel.Protocols.WSTrust.Bindings namespace). They are already pre-configured to be compatible with the ADFS endpoints. The downside of these bindings is, that you can’t use them in configuration. That’s definitely a feature request of mine for the next version of WIF.

The next important piece of information is the so called Federation Service Identifier. This is the value that you (at least by default) have to use as a realm/appliesTo whenever you are requesting a token for ADFS (e.g. in  IdP –> RSTS scenario). Or (even more) technically speaking, ADFS 2 checks for this value in the audience URI restriction in SAML tokens. You can get to this value by clicking the “Edit Federation Service Properties” in the MMC when the Service tree-node is selected.

OK – I will come back to this basic information in the following posts. Basically I want to go through the following scenarios:

  • ADFS in the IdP role
  • ADFS in the R-STS role (with a chained claims provider)
  • Using the WCF bindings for automatic token issuance
  • Using WSTrustChannelFactory for manual token handling

Stay tuned…

© Least Privilege or respective owner

Related posts about IdentityModel