Hi,
We require assistance regarding an issue related to ADFS (MS CORP STS) we are facing in our project.
Following is the high level scenario.
- Application1.
- Application is a simple ASP.NET MVC application containing one WCF Service along with other MVC stuff.
- Hosted on Azure and protected by MS CORP ADFS
- User has to authenticate him/herself on MS CORP login page before he/she can access any resource from the applications.
- A demo service URL for your reference is https://app1.cloudapp.net/SyncService.svc
- Even when user tries to brown the service URL he/she has to go thru the MS CORP login page.
- Application2.
- Application is a ASP.NET MVC application containing on WCF Service.
- Hosted on Azure and protected by MS CORP ADFS
- User has to authenticate him/herself on MS CORP login page before he/she can access any resource from the applications.
- Application2 wants to call above mentioned WCF server hosted in Application1 using a MS CORP service account.
To achieve this we are following below mentioned steps.
- Obtain a security token from MS CORP STS service for a service account by providing user id and password.
- https://corp.sts.microsoft.com/adfs/services/trust/13/usernamemixed
- TokenType = Bearer
- TrustVerion = WSTrust13
/// <summary>
/// Method to get security token for Service
/// </summary>
/// <returns></returns>
static private SecurityToken RequestSecurityToken()
{
var corpSTSEndpoint = "https://corp.sts.microsoft.com/adfs/services/trust/13/usernamemixed";
var factory = new WSTrustChannelFactory(new WS2007HttpBinding("CorpSTSBinding"), corpSTSEndpoint);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "serviceUserName";
factory.Credentials.UserName.Password = "servicePassword";
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference("https://app1.cloudapp.net/SyncService.svc/SyncService.svc")
};
var token = factory.CreateChannel().Issue(rst);
factory.Close();
return token;
}- We are able to obtain the Security Token successfully.
- Calling service with the token always results in getting MS CORP login page HTML.
static void CallWcfService(SecurityToken authToken) { ChannelFactory<IService> channelFactory = new ChannelFactory<IService>("WSHttpBinding_ISyncService"); IService syncService = channelFactory.CreateChannelWithIssuedToken(authToken); var keys = syncService.GetData(); // This always results in HTML of MS CORP Login Page.
}
Client applications configuration file is as following.
<?xml version="1.0" encoding="utf-8" ?><configuration><startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup><system.serviceModel><client><endpoint address="https://app1.cloudapp.net/SyncService.svc/SyncService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISyncService"
contract="SyncService.ISyncService" name="WSHttpBinding_ISyncService" /></client><bindings><ws2007FederationHttpBinding><binding name="XYZ" maxReceivedMessageSize="2147483647"><security mode="TransportWithMessageCredential"><message establishSecurityContext="false"><issuer address="https://corp.sts.microsoft.com/adfs/services/trust/13/usernamemixed"
binding="ws2007HttpBinding" bindingConfiguration="CorpSTSBinding" /><issuerMetadata address="https://corp.sts.microsoft.com/adfs/services/trust/mex" /><tokenRequestParameters><trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType><trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize><trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm><trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith><trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith><trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm><trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm></trust:SecondaryParameters></tokenRequestParameters></message></security></binding></ws2007FederationHttpBinding><wsHttpBinding><binding name="WSHttpBinding_ISyncService"><security mode="Transport"><transport clientCredentialType="None" /></security></binding></wsHttpBinding><ws2007HttpBinding><binding name="CorpSTSBinding"><security mode="TransportWithMessageCredential"><transport clientCredentialType="None" /><message clientCredentialType="UserName" establishSecurityContext="false" /></security></binding></ws2007HttpBinding></bindings></system.serviceModel></configuration>We have the similar scenario in another project where https://plxadmin.training.partner.microsoft.com/plxws/TrainingTranscriptSearch.svc service is being access successfully. This service is not hosted by us but it is one of the MS partner service.
Any guidance or suggestion on this will be a greatly appreciated.
Please let us know if any more information or clarifications are required.
Thanks and regards,
Chetan Ranpariya
Chetan Ranpariya, Software Engineer.