SlideShare a Scribd company logo

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)

P
petarvucetin

• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.

Related slideshows

SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Story
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
 
1 of 62
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
Building Secure Web Services Using Windows Communication FoundationPetar VucetinSenior Software EngineerVertigoSession Code: SOA312
Agenda Learn how to use standard WCF security mechanisms correctly Understand appropriate scenarios for the various WCF security options Understand how to extend WCF security for custom applications
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
Threat ModelingCIA ConfidentialityIntegrityAvailabilitySTRIDESpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
SecurityConfidentialityContent of the message is kept secret IntegrityConfidence that message received is the same that sender sentAuthenticationConfidence that we know caller identityConfidentiality and Integrity useless without authenticity
WCF Out of the box experienceDefaults to secure modeClaim-basedInternet, Intranet and custom security scenariosSecure conversationsTransferMessage integrity and protectionMutual Authentication(client->service, service-> client)Authorization
Service IdentityCaller IdentityMessage (WS*)HostWCFServiceABCABCClaimsPolicyTransport (TLS, SSL, IPSec)CallerServiceTrustAddress – Where?ABinding – How?BContract – What?C
Transport SecurityPrevents eavesdropping, tampering, and message forgeryPoint-to-Point communication SSL over HTTPTLS over TCPProvides endpoint authentication and communications privacy using cryptography.IPSEC/L2TPTransport (TLS, SSL, IPSec)ABCABCCallerService
Message WS-SecuritySOAP EnvelopeSecurity TokenSOAP HeaderTimestampMisc. HeadersSignatureSecurity HeaderEncrypted KeyEncrypted DataSOAP BodyData
Message SecurityMessage (WS*)CallerServiceTransport independentUses SOAP / WS-SecurityParts of the message can be signed or encrypted. All of the security information is encapsulated in the messageSecurity credentials and claims with every message. Wide set of credentials and claims supportedWCF requires X509 certificateABCABC
AuthenticationCaller identificationWindows tokensCertificatesUser Name TokensCustomService identification (to caller)Windows tokens, X.509 certificates
AuthenticationWS-SecurityESContract &PoliciesX509CertificateKerberosXrMLCustomThe service verifies that the user owns/is able to use a key that is never transmittedPrivate KeyX509SAML
AuthorizationWhat is caller allowed to doWCF uses callers claimsCan have manyWindows token, SAMLWindows groups, ASP.NET providers, Custom providerNo good without authentication
ClaimsClaimis a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject.Defined by a triplet: type, right, resourceClaim issuercan vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
PartnersSTSBrowserWinClientDMZIISINTRANETBrowserIISWinClientRouter
ScenariosIntranetDirect access to service (rare) – single machineApplication servers – more common, distributed, maybe port restrictions and firewallsAD, Windows authInternetFirewalled, DMZedRestricted ports and routes, custom identity storeMaybe trusted subsystem down the line with AD/Windows authMaybe multiple authentication systems involved
Scenarios (cont.)B2BCrossing multiple network topologies, firewalls, port restrictionsNon Windows security topologies and implementationsMay require acquiring and using different identitiesMaybe multiple authentication systems involvedMost likely service to service
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
Service and ClientHow does this stuff work?configuring
Security ModesNone. Turns security off. Not recommended (default for BasicHttpBinding)Transport. Uses transport security for mutual authentication and message protection. Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate.Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
Controlling security modes NameTitleCompanydemo
Security Modes (cont.)TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
R Default
WCF Channel StackService InstanceWCF RuntimeOperationOperationDispatcherChannel StackProtocolProtocolBindingProtocolEncodingTransport
Security.Mode == NoneService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolProtocolBindingProtocolBinaryMessageEncodingBindingEncodingTcpTransportBindingTransport
Security.Mode == TransportService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolProtocolBindingBinaryMessageEncodingBindingProtocolWindowsStreamSecurityBindingEncodingTcpTransportBindingTransport
Security.Mode == MessageService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolProtocolBindingSymmetricSecurityBindingProtocolBinaryMessageEncodingBindingEncodingTcpTransportBindingTransport
Security.Mode == TransportWithMessageCredentialsService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolTransportSecurityBindingProtocolBindingBinaryMessageEncodingBindingProtocolSslStreamSecurityBindingEncodingTcpTransportBindingTransport
Controlling credentials at the transport leveldemo
R Default
Controlling Message Security and credentialsNameTitleCompanydemo
R Default
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
ChoicesChoicesChoicesYou confused by now?
Out of the box bindingsIntranetNetNamedPipeBindingLimited reach – same machine, cross processFastNo SOAP supportDefaults:Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
Out of the box bindings (cont.)IntranetNetTCPBindingWCF-to-WCF scenariosFast, can add WS* features – performance tradeoffIf you used COM+/DCOM use this bindingLoad balancing – has server affinity, reduce lease timeoutDefaults: Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
Out of the box bindings (cont.) IntranetNetMsmqBindingQueued work / workload leveling / Disconnected scenariosDefaults:Security Mode: TransportCredentials: WindowsMessage protection: SignMsmqIntegrationBindingNon WCF clients
Out of the box bindings (cont.) InternetBasicHttpBindingInterop for ASMX, support for WS-I Basic Profile 1.1Does not support WS* stackWorks well with existing HTTP load balancing techniquesOnly binding supported in Silverlight 2.0Defaults:Security Mode: NoneTransport: NoneCredentials: User NameMessage protection: None
Out of the box bindings (cont.) InternetWsHttpBindingNon Windows/WCF clientsRestricted Ports, firewallsCan use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.Defaults:Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
Out of the box bindings (cont.) InternetWsFederationHttpBindingshare identities across multiple systemsCustom tokensDefaults:Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
Service and ClientSecurity Extension Pointscustomization
Customization ScenariosCustom security tokensCustom authentication methodsClaims-based authorizationClaims transformationCustom principals
WCF Security Extensible PointsCredentialsCustom Security Token ManagerCustom Service CredentialsCustom Client CredentialsAuthorizationService Authorization ManagerExternal Authorization PolicyCustom Endpoint Identity VerifierAuthenticationSecurity Token AuthenticatorSecurity Token ProviderCustom Authorization PolicySerializationSecurity Token SerializerSecurity Key Identifier Clause
Custom Authentication <services> <servicename="CalculatorService"behaviorConfiguration="ServiceCredentials"> <endpointaddress=""binding="wsFederationHttpBinding"bindingConfiguration="requireInfoCard"contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam"x509FindType="FindBySubjectName"storeLocation="LocalMachine"storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>ISecureCalculatorSAML1.0CalculatorServicehttp://schemas../givennamehttp://schemas../lastname<behaviorname="ServiceCredentials"> <serviceAuthorizationserviceAuthorizationManagerType=“MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificatefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthenticationallowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>http://schemas../selfhttp://localhost/serv.svc
Custom Authenticationdemo
Service Config <services> <servicename="CalculatorService"behaviorConfiguration="ServiceCredentials"> <endpointaddress=""binding="wsFederationHttpBinding"bindingConfiguration="requireInfoCard"contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam"x509FindType="FindBySubjectName"storeLocation="LocalMachine"storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>ISecureCalculatorSAML1.0<bindingname="requireInfoCard"> <securitymode="Message"> <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../givenname"/> <addclaimType =" schemas../lastname "/> </claimTypeRequirements> <issueraddress="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding>CalculatorServicehttp://schemas../givennamehttp://schemas../lastnamehttp://localhost/serv.svchttp://schemas../self<behaviorname="ServiceCredentials"> <serviceCredentials> <serviceCertificatefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthenticationallowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
Client Config <client> <endpointaddress="http://localhost/serv.svc/"bindingConfiguration="requireInfoCard"binding="wsFederationHttpBinding"contract="ISecureCalculator"behaviorConfiguration="ClientCredentials"> <identity> <certificateReferencefindValue="fabrikam"x509FindType="FindBySubjectName"storeLocation="CurrentUser"storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behaviorname="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors>ISecureCalculatorCalculatorServiceSAML1.0http://localhost/serv.svchttp://scheams../givenname <behaviorname="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificatefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authenticationrevocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior>http://schemas../lastname <bindingname="requireInfoCard"> <securitymode="Message"> <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../emailaddress"/> <addclaimType ="http://schemas../givenname"/> </claimTypeRequirements> <issueraddress="http://schemas../self"/> </message> </security> </binding>http://madSTS.org/sts
Tips & TricksVS2008 SP1
Tips & Tricks (cont.)
New ServicesNetMsmqActivator (Net.Msmq Listener Adapter)Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.NetPipeActivator (Net.Pipe Listener Adapter)Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
New ServicesNetTcpActivator (Net.Tcp Listener Adapter)Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.NetTcpPortSharing (Net.Tcp Port Sharing Service)Provides ability to share TCP ports over the net.tcp protocol.
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
Q & A
NotesIn addition to the Walk-in and Title slides, the following slides are requiredPlease add your content and include these in your final presentationNEXT: <next slide title>
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurityIDesign code library - http://www.idesign.net/MSDN WCF demos and examples - http://wcf.netfx3.com/(WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvpptTrack ResourcesBloggers: Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Valid?Client ClaimsAuthorityService ClaimsValid?Authority

More Related Content

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)

  • 2. Building Secure Web Services Using Windows Communication FoundationPetar VucetinSenior Software EngineerVertigoSession Code: SOA312
  • 3. Agenda Learn how to use standard WCF security mechanisms correctly Understand appropriate scenarios for the various WCF security options Understand how to extend WCF security for custom applications
  • 6. Threat ModelingCIA ConfidentialityIntegrityAvailabilitySTRIDESpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
  • 7. SecurityConfidentialityContent of the message is kept secret IntegrityConfidence that message received is the same that sender sentAuthenticationConfidence that we know caller identityConfidentiality and Integrity useless without authenticity
  • 8. WCF Out of the box experienceDefaults to secure modeClaim-basedInternet, Intranet and custom security scenariosSecure conversationsTransferMessage integrity and protectionMutual Authentication(client->service, service-> client)Authorization
  • 9. Service IdentityCaller IdentityMessage (WS*)HostWCFServiceABCABCClaimsPolicyTransport (TLS, SSL, IPSec)CallerServiceTrustAddress – Where?ABinding – How?BContract – What?C
  • 10. Transport SecurityPrevents eavesdropping, tampering, and message forgeryPoint-to-Point communication SSL over HTTPTLS over TCPProvides endpoint authentication and communications privacy using cryptography.IPSEC/L2TPTransport (TLS, SSL, IPSec)ABCABCCallerService
  • 11. Message WS-SecuritySOAP EnvelopeSecurity TokenSOAP HeaderTimestampMisc. HeadersSignatureSecurity HeaderEncrypted KeyEncrypted DataSOAP BodyData
  • 12. Message SecurityMessage (WS*)CallerServiceTransport independentUses SOAP / WS-SecurityParts of the message can be signed or encrypted. All of the security information is encapsulated in the messageSecurity credentials and claims with every message. Wide set of credentials and claims supportedWCF requires X509 certificateABCABC
  • 13. AuthenticationCaller identificationWindows tokensCertificatesUser Name TokensCustomService identification (to caller)Windows tokens, X.509 certificates
  • 14. AuthenticationWS-SecurityESContract &PoliciesX509CertificateKerberosXrMLCustomThe service verifies that the user owns/is able to use a key that is never transmittedPrivate KeyX509SAML
  • 15. AuthorizationWhat is caller allowed to doWCF uses callers claimsCan have manyWindows token, SAMLWindows groups, ASP.NET providers, Custom providerNo good without authentication
  • 16. ClaimsClaimis a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject.Defined by a triplet: type, right, resourceClaim issuercan vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
  • 18. ScenariosIntranetDirect access to service (rare) – single machineApplication servers – more common, distributed, maybe port restrictions and firewallsAD, Windows authInternetFirewalled, DMZedRestricted ports and routes, custom identity storeMaybe trusted subsystem down the line with AD/Windows authMaybe multiple authentication systems involved
  • 19. Scenarios (cont.)B2BCrossing multiple network topologies, firewalls, port restrictionsNon Windows security topologies and implementationsMay require acquiring and using different identitiesMaybe multiple authentication systems involvedMost likely service to service
  • 21. Service and ClientHow does this stuff work?configuring
  • 22. Security ModesNone. Turns security off. Not recommended (default for BasicHttpBinding)Transport. Uses transport security for mutual authentication and message protection. Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate.Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
  • 23. Controlling security modes NameTitleCompanydemo
  • 24. Security Modes (cont.)TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
  • 26. WCF Channel StackService InstanceWCF RuntimeOperationOperationDispatcherChannel StackProtocolProtocolBindingProtocolEncodingTransport
  • 27. Security.Mode == NoneService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolProtocolBindingProtocolBinaryMessageEncodingBindingEncodingTcpTransportBindingTransport
  • 28. Security.Mode == TransportService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolProtocolBindingBinaryMessageEncodingBindingProtocolWindowsStreamSecurityBindingEncodingTcpTransportBindingTransport
  • 29. Security.Mode == MessageService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolProtocolBindingSymmetricSecurityBindingProtocolBinaryMessageEncodingBindingEncodingTcpTransportBindingTransport
  • 30. Security.Mode == TransportWithMessageCredentialsService InstanceWCF RuntimeOperationOperationnetTcpBindingDispatcherChannel StackTransactionFlowBindingProtocolTransportSecurityBindingProtocolBindingBinaryMessageEncodingBindingProtocolSslStreamSecurityBindingEncodingTcpTransportBindingTransport
  • 31. Controlling credentials at the transport leveldemo
  • 33. Controlling Message Security and credentialsNameTitleCompanydemo
  • 37. Out of the box bindingsIntranetNetNamedPipeBindingLimited reach – same machine, cross processFastNo SOAP supportDefaults:Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
  • 38. Out of the box bindings (cont.)IntranetNetTCPBindingWCF-to-WCF scenariosFast, can add WS* features – performance tradeoffIf you used COM+/DCOM use this bindingLoad balancing – has server affinity, reduce lease timeoutDefaults: Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
  • 39. Out of the box bindings (cont.) IntranetNetMsmqBindingQueued work / workload leveling / Disconnected scenariosDefaults:Security Mode: TransportCredentials: WindowsMessage protection: SignMsmqIntegrationBindingNon WCF clients
  • 40. Out of the box bindings (cont.) InternetBasicHttpBindingInterop for ASMX, support for WS-I Basic Profile 1.1Does not support WS* stackWorks well with existing HTTP load balancing techniquesOnly binding supported in Silverlight 2.0Defaults:Security Mode: NoneTransport: NoneCredentials: User NameMessage protection: None
  • 41. Out of the box bindings (cont.) InternetWsHttpBindingNon Windows/WCF clientsRestricted Ports, firewallsCan use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.Defaults:Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
  • 42. Out of the box bindings (cont.) InternetWsFederationHttpBindingshare identities across multiple systemsCustom tokensDefaults:Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
  • 44. Service and ClientSecurity Extension Pointscustomization
  • 45. Customization ScenariosCustom security tokensCustom authentication methodsClaims-based authorizationClaims transformationCustom principals
  • 46. WCF Security Extensible PointsCredentialsCustom Security Token ManagerCustom Service CredentialsCustom Client CredentialsAuthorizationService Authorization ManagerExternal Authorization PolicyCustom Endpoint Identity VerifierAuthenticationSecurity Token AuthenticatorSecurity Token ProviderCustom Authorization PolicySerializationSecurity Token SerializerSecurity Key Identifier Clause
  • 47. Custom Authentication <services> <servicename="CalculatorService"behaviorConfiguration="ServiceCredentials"> <endpointaddress=""binding="wsFederationHttpBinding"bindingConfiguration="requireInfoCard"contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam"x509FindType="FindBySubjectName"storeLocation="LocalMachine"storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>ISecureCalculatorSAML1.0CalculatorServicehttp://schemas../givennamehttp://schemas../lastname<behaviorname="ServiceCredentials"> <serviceAuthorizationserviceAuthorizationManagerType=“MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificatefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthenticationallowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>http://schemas../selfhttp://localhost/serv.svc
  • 49. Service Config <services> <servicename="CalculatorService"behaviorConfiguration="ServiceCredentials"> <endpointaddress=""binding="wsFederationHttpBinding"bindingConfiguration="requireInfoCard"contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam"x509FindType="FindBySubjectName"storeLocation="LocalMachine"storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>ISecureCalculatorSAML1.0<bindingname="requireInfoCard"> <securitymode="Message"> <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../givenname"/> <addclaimType =" schemas../lastname "/> </claimTypeRequirements> <issueraddress="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding>CalculatorServicehttp://schemas../givennamehttp://schemas../lastnamehttp://localhost/serv.svchttp://schemas../self<behaviorname="ServiceCredentials"> <serviceCredentials> <serviceCertificatefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthenticationallowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
  • 50. Client Config <client> <endpointaddress="http://localhost/serv.svc/"bindingConfiguration="requireInfoCard"binding="wsFederationHttpBinding"contract="ISecureCalculator"behaviorConfiguration="ClientCredentials"> <identity> <certificateReferencefindValue="fabrikam"x509FindType="FindBySubjectName"storeLocation="CurrentUser"storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behaviorname="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors>ISecureCalculatorCalculatorServiceSAML1.0http://localhost/serv.svchttp://scheams../givenname <behaviorname="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificatefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authenticationrevocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior>http://schemas../lastname <bindingname="requireInfoCard"> <securitymode="Message"> <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../emailaddress"/> <addclaimType ="http://schemas../givenname"/> </claimTypeRequirements> <issueraddress="http://schemas../self"/> </message> </security> </binding>http://madSTS.org/sts
  • 52. Tips & Tricks (cont.)
  • 53. New ServicesNetMsmqActivator (Net.Msmq Listener Adapter)Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.NetPipeActivator (Net.Pipe Listener Adapter)Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
  • 54. New ServicesNetTcpActivator (Net.Tcp Listener Adapter)Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.NetTcpPortSharing (Net.Tcp Port Sharing Service)Provides ability to share TCP ports over the net.tcp protocol.
  • 56. Q & A
  • 57. NotesIn addition to the Walk-in and Title slides, the following slides are requiredPlease add your content and include these in your final presentationNEXT: <next slide title>
  • 59. CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurityIDesign code library - http://www.idesign.net/MSDN WCF demos and examples - http://wcf.netfx3.com/(WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvpptTrack ResourcesBloggers: Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
  • 61. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • 62. Valid?Client ClaimsAuthorityService ClaimsValid?Authority
  • 63. Idenity TypesDNS - Use this element with X.509 certificates or Windows accounts.Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.
  • 64. Certificate ReferenceRSAUser Principal NameService Principal Name