How to: Build a WCF Relying Party Application

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

In this exercise, you do not use an STS. You simply create a WCF service that lets you access the current user’s claims through IClaimsPrincipal. The way this works is that FedUtil adds the ClaimsPrincipalHttpModule to your project. The module lets you convert the current user’s IPrincipal object to an IClaimsPrincipal object.


You must run Visual Studio in Elevated mode for FedUtil to work correctly.

First, create a Claims-Aware WCF service as shown in Claims-Aware WCF Service.

Next, right-click your project in the Solution Explorer and select Add STS Reference:


This runs the FedUtil tool. You’ll see the FedUtil dialog box, beginning with the Welcome to Federation Utility tool page:


This page requires you to enter two fields:

  1. Application configuration location: Specify the path to the web.config file for your WCF service. If you run FedUtil from outside Visual Studio, this field is empty. If you run FedUtil from inside Visual Studio, this field already contains the path to the web.config file for your project. The web.config file must already exist and should be in its default state (that is, as it was generated by Visual Studio). If you run FedUtil more than once on the same web.config file, FedUtil simply overwrites the content that it adds to the web.config file.

  2. Application URI: Specify the URI for your WCF service. Note that this is a .svc file. If you run FedUtil from outside Visual Studio, this field is empty. If you run FedUtil from inside Visual Studio, this field already contains two URIs for your project: one that uses localhost, and one that uses the fully qualified domain name for your computer, if available. This URI is used as the realm value while configuring the application for claims. If the URI is not secure (that is, does not begin with “https://”), you receive a warning when you click Next.

When you have provided the information, click Next. You’ll see the Application Information page:


Select the service name and endpoint contract name that you want to configure, then click Next. If there are multiple endpoints on a service, and you want to configure claims only for certain endpoints, then select those endpoints.

The Security Token Service page appears:


Select No STS. This creates a WCF service that is claims-aware and does not require an STS to issue the claims. The service gets the default claims created by the framework. Click Next. You see the Summary page:


Click Finish.

If you look at your web.config file, you’ll see that FedUtil has modified it:

  • The <configuration>/<configSections> element now contains a reference to a microsoft.IdentityModel configuration section:

    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  • The <configuration> element now contains the microsoft.identityModel configuration section, which contains the application URI that you specified previously:

        <service name="ClaimsAwareService1.Service">
                <add value="https://localhost:64705/ClaimsAwareService1/Service.svc" />