How do you pass a (Claims) security Token to a WIF enabled WCF service?

Question

my escope :

How do you pass a (Claims) security Token to a WIF enabled WCF service?

Implement security asp mvc (ok)

Implement security in wcf (not ok)

Pass the token from client to wcf.(not ok)

My code client

    using System.IdentityModel.Tokens;
    using System.Security.Claims;
    using System.ServiceModel;
    using System.ServiceModel.Security;
    using System.Web.Mvc;
    using Microsoft.IdentityModel.Protocols.WSTrust;
    using Nobre.Core.Helpers;
    using Wcf;


    namespace Mvc.Controllers
    {
        public class HomeController : Controller
        {
            [Authorize]
            public ActionResult Index()
            {
                var identity = HttpContext.User.Identity as ClaimsIdentity;
                var securityToken = WcfHelper.GetActAsToken(identity.BootstrapContext as BootstrapContext);
                var serviceAddress = "https://estnbr363.nobre.local/Service1.svc";
                var binding = new WSFederationHttpBinding();

                binding.Security.Mode = WSFederationHttpSecurityMode.TransportWithMessageCredential;
                binding.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
                binding.Security.Message.NegotiateServiceCredential = true;
                binding.Security.Message.IssuedKeyType = SecurityKeyType.SymmetricKey;
                binding.Security.Message.IssuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#samlv1.1";

                var factory = new ChannelFactory<IService1>(binding, serviceAddress);
                factory.ConfigureChannelFactory();
                factory.Credentials.SupportInteractive = false;
                var channel = factory.CreateChannelActingAs(securityToken);  

                return View( channel.GetData(1));

            }
        }
    }


    web config service         
<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <appSettings>
    <add key="ida:FederationMetadataLocation" value="https://nobre-security.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:Issuer" value="https://nobre-security.accesscontrol.windows.net/v2/wsfederation" />
    <add key="ida:ProviderSelection" value="ACS" />
  </appSettings>
  <location path="FederationMetadata">
    <system.web>
      <!--<authorization>
        <allow users="*" />
      </authorization>-->
    </system.web>
  </location>
  <system.web>
    <!--<authorization>
      <deny users="?" />
    </authorization>-->
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
  </system.web>
  <system.serviceModel>
    <diagnostics>
      <messageLogging maxMessagesToLog="25000" logEntireMessage="true" logMessagesAtServiceLevel="false"  logMalformedMessages="true" logMessagesAtTransportLevel="true">
        <filters>
          <clear/>
        </filters>
      </messageLogging>
    </diagnostics>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials useIdentityConfiguration="true" />
          <serviceAuthorization principalPermissionMode="Always" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <bindings>
      <ws2007FederationHttpBinding >
        <binding >
          <security mode="TransportWithMessageCredential">
            <message  issuedKeyType="BearerKey" negotiateServiceCredential="true">
              <issuerMetadata address="https://federation.nobre.net.br/adfs/services/trust/mex" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
    <services>
      <service name="Wcf.Service1" behaviorConfiguration="">
        <endpoint name="ws2007FederationHttpBinding.Service1" address="ws2007FederationHttpBinding" binding="ws2007FederationHttpBinding" contract="Wcf.IService1" />
      </service>    
    </services>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <directoryBrowse enabled="true" />
  </system.webServer>
  <system.identityModel>
    <identityConfiguration saveBootstrapContext="true">
      <audienceUris>
        <add value="https://estnbr363.nobre.local/Service1.svc" />
      </audienceUris>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="https://nobre-security.accesscontrol.windows.net/">
          <keys>
            <add thumbprint="213D414F8E89D865FD10A49C8C8F838A9460EBEE" />
          </keys>
          <validIssuers>
            <add name="https://nobre-security.accesscontrol.windows.net/" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>      
      <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
  </system.identityModel>  
</configuration>

line error

channel.GetData(1);

The address of the issuer of the security token was not specified. An explicit issuer address must be specified on the link to 'https://estnbr363.nobre.local/Service1.svc' destination or sender's address location must be configured in the credentials.

the problem are these lines below! how to implement ?

  // Extract the STS certificate from the certificate store. ?????????
      X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.CurrentUser);
      store.Open(OpenFlags.ReadOnly);
      X509Certificate2Collection certs = store.Certificates.Find(
          X509FindType.FindByThumbprint, "0000000000000000000000000000000000000000", false);
      store.Close();

      // Create an EndpointIdentity from the STS certificate. ???????????
      EndpointIdentity identity = EndpointIdentity.CreateX509CertificateIdentity ( certs[0] );

      // Set the IssuerAddress using the address of the STS and the previously created ???????

      // EndpointIdentity.
      b.Security.Message.IssuerAddress = 
          new EndpointAddress(new Uri("http://localhost:8000/sts/x509"), identity);

Answer 1

I had a similar problem and this

factory.Credentials.SupportInteractive = false;

turned off CardSpace for me. Just place it after the ConfigureChannelFactory() in the client code.

[Authorize]
public ActionResult Index(){
    var identity = HttpContext.User.Identity as ClaimsIdentity;
    var securityToken = WcfHelper.GetActAsToken(identity.BootstrapContext as BootstrapContext);   
    string serviceAddress = "svc";
    var binding = new     WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
    var factory = new ChannelFactory<IService>(binding,new EndpointAddress(serviceAddress));
    factory.ConfigureChannelFactory();
    factory.Credentials.SupportInteractive = false;
    var channel = factory.CreateChannelActingAs(securityToken);
    channel.DoWork();
}

SupportInterative:

Gets or sets a value that indicates whether the system is allowed to interactively prompt the user for credentials when necessary. For example, setting it to false might be desired in middle-tier scenarios.