I have been trying to configure WCF to work with Azure ACS.
This WCF configuration has 2 bugs:
It does not publish MEX end point.
It does not invoke custom
behaviour extension. (It just stopped doing that after I made some
changes which I can't remember)
What could be possibly wrong here?
<configuration>
<configSections>
<section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
</system.web>
<system.serviceModel>
<services>
<service name="production" behaviorConfiguration="AccessServiceBehavior">
<endpoint contract="IMetadataExchange"
binding="mexHttpsBinding"
address="mex" />
<endpoint address=""
binding="customBinding"
contract="Samples.RoleBasedAccessControl.Service.IService1"
bindingConfiguration="serviceBinding" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AccessServiceBehavior">
<federatedServiceHostConfiguration />
<sessionExtension/>
<useRequestHeadersForMetadataAddress>
<defaultPorts>
<add scheme="http" port="8000" />
<add scheme="https" port="8443" />
</defaultPorts>
</useRequestHeadersForMetadataAddress>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<!--Certificate added by FedUtil. Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.-->
<serviceCertificate findValue="XXXXXXXXXXXXXXX" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<extensions>
<behaviorExtensions>
<add name="sessionExtension"
type="Samples.RoleBasedAccessControl.Service.RsaSessionServiceBehaviorExtension, Samples.RoleBasedAccessControl.Service, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<add name="federatedServiceHostConfiguration"
type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http" binding="customBinding" bindingConfiguration="serviceBinding" />
<add scheme="https" binding="customBinding" bindingConfiguration="serviceBinding"/>
</protocolMapping>
<bindings>
<customBinding>
<binding name="serviceBinding">
<security authenticationMode="SecureConversation"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap
authenticationMode="IssuedTokenOverTransport"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters>
<additionalRequestParameters>
<AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://127.0.0.1:81/</Address>
</EndpointReference>
</AppliesTo>
</additionalRequestParameters>
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" />
<add claimType="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" isOptional="true" />
</claimTypeRequirements>
<issuerMetadata address="https://XXXXYYYY.accesscontrol.windows.net/v2/wstrust/mex" />
</issuedTokenParameters>
</secureConversationBootstrap>
</security>
<httpsTransport />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://127.0.0.1:81/" />
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="THUMBPRINT HERE" name="https://XXXYYYY.accesscontrol.windows.net/" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</service>
</microsoft.identityModel>
<appSettings>
<add key="FederationMetadataLocation" value="https://XXXYYYY.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml " />
</appSettings>
</configuration>
Edit: Further implementation details
I have the following Behaviour Extension Element (which is not getting invoked currently)
public class RsaSessionServiceBehaviorExtension : BehaviorExtensionElement
{
public override Type BehaviorType
{
get
{
return typeof(RsaSessionServiceBehavior);
}
}
protected override object CreateBehavior()
{
return new RsaSessionServiceBehavior();
}
}
The namespaces and assemblies are correct in the config. There is more code involved for checking token validation, but in my opinion at least MEX should get published and CreateBehavior() should get invoked in order for me to proceed further.