Configuring Security Policy for a Service
The Security policy lets you manage the communication security configuration for your service. The policy lets you configure authentication on the service by selecting a Security Token Service to issue security tokens based on user identity.
The following table describes the properties of the Security policy.
Property Name |
Description |
|---|---|
issuerMetadataAddress |
Defines the metadata endpoint address for the Security Token Service that issues security tokens used in the service. This can be a third-party security service, however the service must implement the WS-Trust specification. DCS uses this service at run time to request security tokens and to authenticate users. |
securityMode |
Defines the mode to implement when securing messages. You can specify four values: |
tokenType |
Defines the type of security token to use during communication. DCS supports both SAML and Kerberos (Windows) tokens in the security policy. |
useSecureConversation |
Represents whether the service uses the WS-SecureConversation protocol to protect messages. |
WS-Security defines several types of security tokens and provides an extensible model that allows additional security token types to be defined independently. DCS provides the following security token types in DCS security policy:
- Kerberos (Windows) token.
- SAML token
To enable message-level security based on SAML tokens, you can set the following properties:
- issuerMetadataAddress. http://<machine_name_hosting_DCS_STS_service>/TokenIssuerService/STS.svc/mex
- securityMode. Set to Message.
- tokenType. Set to Windows.
- useSecureConversation. This value is ignored for SAML–based security.
The following figure shows a sample security policy configuration based on SAML token in the DCS Management Services Console
.png "Dd632336.47d12ef5-7eab-47ef-bd16-cc6ac7c96293(en-us,MSDN.10).png")
DCS provides an STS that has support for user-defined claim providers and AuthorizationManager. This can be used to extend the STS feature of DCS. This provides a way to use Windows tokens to identify users. Any DCS compatible implementation of a claim provider should implement the IClaimProvider interface and the GetIssuedClaims method. This method has RequestContext passed to it as a parameter. The claim provider can issue claims based on the OriginalCallerSubjectName property of the RequestContext class that has the caller’s Windows token as a string. These claims can be used by the AuthorizationManager as to identify the caller.
DCS also has direct support for Windows tokens to identify users. For example, to enable message-level security based on Windows tokens, you can set the following properties:
- issuerMetadataAddress. Leave blank.
- securityMode. Set to Message.
- tokenType. Set to Windows.
- useSecureConversation. Set to True.
To apply an identity policy to a service
- In the DCS Management Services Console, expand Policy Management, expand the service to which you want to apply a policy, and then click Policies.
- In the left pane, right-click the Policies folder, and then click New.
- In the Edit Policy dialog box, in the Policy Type list, click Microsoft.ConnectedIndustry.Application.ServiceModel.Policy.SecurityPolicy.
- Configure the required policy properties, and then click OK to save the properties and apply the policy to the service.
The following figure shows a sample security policy configuration in the DCS Management Services Console.
.png "Dd632336.706e1eec-39e5-4756-921b-cc1d4ca4ffcf(en-us,MSDN.10).png")
A sample security policy configuration that specifies the Message security mode, Windows token type, and that secured messages are not required
Note
To implement Windows authentication, WCF typically uses the Negotiate Security Support Provider (SSP), which performs Kerberos mutual authentication between the client and the service. The Kerberos protocol is available only when both the client and service are using domain identities.
If you implement a Security policy that implements message-level security without the secure conversation protocol, DCS uses the Kerberos security policy. This configuration requires you to implement an Identity policy so that the client and service can pass the correct user and service principals to the authentication service. For more information, see Configuring Identity Policy for a Service.