Getting a token from ADFS (ex Geneva Server) using WCF
July 17th, 2009
I’ve been doing some tests to get a token from ADFS (Geneva Server) using Windows Identity Foundation WSTrustClient. In this case we are using the UserNameMixed endpoint that expects a WS-Security UsernameToken (notice the MessageCredentialType.UserName).
internal static ClaimsIdentityCollection RequestTokenWithUsernameMixed()
{
var binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential, false);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Message.EstablishSecurityContext = false;
var credentials = new ClientCredentials();
credentials.UserName.UserName = "Mary";
credentials.UserName.Password = "Passw0rd!";
var endpoint = "https://mygenevaserver/Trust/13/UsernameMixed";
var client = new WSTrustClient(binding, new EndpointAddress(new Uri(endpoint)), TrustVersion.WSTrust13, credentials);
var request = new RequestSecurityToken();
request.RequestType = "http://schemas.microsoft.com/idfx/requesttype/issue";
request.AppliesTo = new EndpointAddress("http://localhost/activerp");
var token = client.Issue(request) as GenericXmlSecurityToken;
var claims = token.ToClaimsIdentityCollection(TrustVersion.WSTrust13, CertificateUtility.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=Geneva Signing Certificate - WIN-66EYOLL2BVY"), CertificateUtility.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=WMSvc-WIN-66EYOLL2BVY"));
return claims;
}
Here is another one using the WindowsMixed endpoint (notice the MessageCredentialType.Windows and no username and password set)
internal static ClaimsIdentityCollection RequestTokenWithWindowsMixed()
{
var binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential, false);
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
binding.Security.Message.EstablishSecurityContext = false;
var credentials = new ClientCredentials();
var endpoint = "https://mygenevaser/Trust/13/WindowsMixed";
var client = new WSTrustClient(binding, new EndpointAddress(new Uri(endpoint)), TrustVersion.WSTrust13, credentials);
var request = new RequestSecurityToken();
request.RequestType = "http://schemas.microsoft.com/idfx/requesttype/issue";
request.AppliesTo = new EndpointAddress("http://localhost/activerp");
var token = client.Issue(request) as GenericXmlSecurityToken;
var claims = token.ToClaimsIdentityCollection(TrustVersion.WSTrust13, CertificateUtility.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=Geneva Signing Certificate - WIN-66EYOLL2BVY"), CertificateUtility.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=WMSvc-WIN-66EYOLL2BVY"));
return claims;
}
You can use this together with the CreateChannelWithIssuedToken extension method (as shown in a previous post).
July 18th, 2009 at 6:25 am
Hi,
it is even easier when using the pre-built WCF binding to talk to ADFS (still feels strange to say that ;).
e.g.
Microsoft.IdentityModel.Protocols.WSTrust.Bindings.UserNameWSTrustBinding
or
Microsoft.IdentityModel.Protocols.WSTrust.Bindings.KerberosWSTrustBinding
July 19th, 2009 at 3:47 pm
Getting a token from ADFS (ex Geneva Server) using WCF…
Thank you for submitting this cool story - Trackback from DotNetShoutout…
July 23rd, 2009 at 4:46 pm
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Susan
http://8080proxy.com
August 5th, 2009 at 10:09 pm
You know yo use Mary and Passw0rd when using Username mixed authentication. Is your Identity provider geneva Server or are you authenticating against a custom SQL store using a custom STS?
August 6th, 2009 at 5:30 am
@dominick Cool, I didn’t know about that!
@Chugh I have an AD account Mary. I’m using ADFS (Geneva Server) which does not support SQL Server to store accounts.
November 14th, 2009 at 5:38 pm
I am trying to this same thing with beta 2 and I keep getting a token with no claims. When using the default login page, I get tokens with the proper claims. Any ideas?