Federation Sample
The Federation sample demonstrates federated security.
Sample Details
Windows Communication Foundation (WCF) provides support for deploying federated security architectures through the wsFederationHttpBinding
. The wsFederationHttpBinding
provides a secure, reliable, and interoperable binding that involves the use of HTTP as the underlying transport mechanism for request/reply communication, and Text/XML as the wire format for encoding. For more information about Federation in WCF, see Federation.
The scenario is made up of 4 pieces:
BookStore service
BookStore STS
HomeRealm STS
BookStore Client
The BookStore service supports two operations, BrowseBooks
and BuyBook
. It allows anonymous access to the BrowseBooks
operation, but requires authenticated access to access the BuyBooks
operation. The authentication takes the form of a token issued by the BookStore STS. The configuration file for the BookStore Service points clients to the BookStore STS using the wsFederationHttpBinding
.
<wsFederationHttpBinding>
<!-- This is the Service binding for the BuyBooks endpoint. It redirects clients to the BookStore STS -->
<binding name='BuyBookBinding'>
<security mode="Message">
<message>
<issuerMetadata
address='http://localhost/FederationSample/BookStoreSTS/STS.svc/mex' >
<identity>
<dns value ='BookStoreSTS.com'/>
</identity>
</issuerMetadata>
</message>
</security>
</binding>
</wsFederationHttpBinding>
The BookStore STS then requires that clients authenticate using a token issued by the HomeRealm STS. Again, the configuration file for the BookStore STS points clients to the HomeRealm STS using the wsFederationHttpBinding
.
<wsFederationHttpBinding>
<!-- This is the binding for the clients requesting tokens from this STS. It redirects clients to the HomeRealm STS -->
<binding name='BookStoreSTSBinding'>
<security mode='Message'>
<message>
<issuerMetadata
address='http://localhost/FederationSample/HomeRealmSTS/STS.svc/mex' >
<identity>
<dns value ='HomeRealmSTS.com' />
</identity>
</issuerMetadata>
</message>
</security>
</binding>
</wsFederationHttpBinding>
The sequence of events when accessing the BuyBook
operation is as follows:
The client authenticates to the HomeRealm STS using Windows credentials.
The HomeRealm STS issues a token that can be used to authenticate to the BookStore STS.
The client authenticates to the BookStore STS using the token issued by the HomeRealm STS.
The BookStore STS issues a token that can be used to authenticate to the BookStore Service.
The client authenticates to the BookStore service using the token issued by the BookStore STS.
The client accesses the
BuyBook
operation.
See the following instructions about how to set up and run this sample.
Note
You must have Write permissions to the wwwroot directory to run this sample.
To set up, build, and run the sample
Open the SDK command window. In the sample path, run Setup.bat. This creates the virtual directories required for the sample and installs the required certificates with appropriate permissions.
Note
The Setup.bat batch file is designed to be run from a Windows SDK Command Prompt. It requires that the MSSDK environment variable point to the directory where the SDK is installed. This environment variable is automatically set within a Windows SDK Command Prompt. On Windows Vista, you must ensure that IIS 6.0 Management Compatibility is installed because the set up uses IIS administrator scripts. Running the set-up script on Windows Vista requires administrator privileges.
Open FederationSample.sln in Visual Studio and select Build Solution from the Build menu. This builds the common project files, Bookstore service, Bookstore STS, HomeRealm STS, and deploys them in IIS. This also builds the Bookstore client application and places the executable BookStoreClient.exe in the FederationSample\BookStoreClient\bin\Debug folder.
Double-click BookStoreClient.exe. The BookStoreClient window is displayed.
You can browse the books available in the bookstore by clicking Browse Books.
To purchase a particular book, select the book in the list and click Buy Book. The application starts up and authenticates using Windows authentication with the HomeRealm Security Token Service.
The sample is configured to allow users to purchase books that cost $15 or less. Attempting to buy books that cost more than $15 results in the client getting an Access Denied message from the Book Store Service.
Note
The sample does not update the user's credit limit after a purchase. You can repeatedly purchase books within the user's (fixed) credit limit.
To clean up
Run Cleanup.bat. This deletes the virtual directories that were created during set up and also removes the certificates installed during setup.