WIF, ADFS 2 and WCF–Part 4: Service Client (using Service Metadata)
- by Your DisplayName here!
See parts 1, 2 and 3 first.
In this part we will finally build a client for our federated service.
There are basically two ways to accomplish this. You can use the WCF built-in tooling
to generate client and configuration via the service metadata (aka ‘Add Service Reference’).
This requires no WIF on the client side. Another approach would be to use WIF’s WSTrustChannelFactory to
manually talk to the ADFS 2 WS-Trust endpoints. This option gives you more flexibility,
but is slightly more code to write. You also need WIF on the client which implies
that you need to run on a WIF supported operating system – this rules out e.g. Windows
XP clients.
We’ll start with the metadata way. You simply create a new client project (e.g. a
console app) – call ‘Add Service Reference’ and point the dialog to your service endpoint.
What will happen then is, that VS will contact your service and read its metadata.
Inside there is also a link to the metadata endpoint of ADFS 2. This one will be contacted
next to find out which WS-Trust endpoints are available. The end result will be a
client side proxy and a configuration file. Let’s first write some code to call the
service and then have a closer look at the config file.
var proxy
= new ServiceClient();
proxy.GetClaims().ForEach(c =>
Console.WriteLine("{0}\n
{1}\n {2} ({3})\n",
c.ClaimType,
c.Value,
c.Issuer,
c.OriginalIssuer));
That’s all. The magic is happening in the configuration file.
When you in inspect app.config, you can see the following general configuration hierarchy:
<client /> element with service endpoint information
federation binding and configuration containing
ADFS 2 endpoint 1 (with binding and configuration)
ADFS 2 endpoint n (with binding and configuration)
(where ADFS 2 endpoint 1…n are the endpoints I talked about in part 1)
You will see a number of <issuer /> elements in the binding configuration where
simply the first endpoint from the ADFS 2 metadata becomes the default endpoint and
all other endpoints and their configuration are commented out. You now need to find
the endpoint you want to use (based on trust version, credential type and security
mode) and replace that with the default endpoint. That’s it.
When you call the WCF proxy, it will inspect configuration, then first contact the
selected ADFS 2 endpoint to request a token. This token will then be used to authenticate
against the service.
In the next post I will show you the more manual approach using the WIF APIs.
