How To Configure WS-Trust .NET client for NetIQ Access Manager 4.0



In this article, we will be providing the steps for configuring a Windows WCF Web Service application and configuring a WCF client application for authenticating and accepting tokens from NetIQ Access Manager WS-Trust.

Use case

We will be having a webservice exposed through .NET WCF framework. This will be configured to authorize users based on Tokens issued by trusted STS. We will also have a .net based client which accesses this WCF service. We will configure both the service and client to accept tokens from NetIQ Access Manager WS-Trust STS.


This article assumes you have the following software installed to follow the article.

    1. A WCF Web Service application binaries


    1. A WCF Web Servlice Client application


    1. Visual Studio 2012. This is needed to develop the sample, if you do not have already developed applications in items 1 and 2 above.


    1. A NetIQ Access Manager 4.0 Installation

Steps for creating a sample WCF Web Service Application and a Console Application client

This step is optional if you already have a working WCF Service and Client.

Steps to create a WCF Service Application

    1. Open Visual Studio 2012.


    1. Create a WCF Service Project by clicing File -> New -> Project -> Templates -> C# -> WCF -> WCF Service Application. Enter the details and click OK. It will create a sample application with sample Web Method.

Steps to create a Console application to use the WCF Service

    1. Right click on the solution in the solution explorer. And click Add -> Project -> C# -> Windows -> Console Application

Now you have two projects created. You can see Web.config in the Service application. And you can see the App.config file in the Client application. We will be modifying these files in next sections to enable claims based authentication and accept claims from NetIQ Access Manager.

Configuring Web Service for claims

If you already have a WCF Service application and a Client application, you need to edit <your-application-name>.exe.config for client and web.config of your WCF Service.

    1. Open Web.config file


    1. Configure a certificate for the service. All Token enabled services has to use a certificate for encryption and other functionality. To configure a certificate, add the following xml element under "<system.serviceModel><behaviors><serviceBehaviors>". Also make sure you have a certificate by name test-encryption in CurrentUser certificate store of your server.
      <serviceCredentials useIdentityConfiguration="true">
      <serviceCertificate findValue="CN=test-encryption" storeLocation="CurrentUser"
      storeName="My" x509FindType="FindBySubjectDistinguishedName" />
      <issuedTokenAuthentication trustedStoreLocation="CurrentUser" />


    1. Add the following under <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />


    1. Add the following ws2007FederationHttpBinding under <System.ServiceModel> element. Replace <your_idp_domain> with your idp dns name.

      <binding name="nambinding">
      <security mode="Message" >
      <message establishSecurityContext="false" issuedKeyType="SymmetricKey"
      negotiateServiceCredential="false" algorithmSuite="Default" >
      <issuerMetadata address="https://<your_idp_domain>:8443/nidp/wstrust/sts/mex" />



    1. Add the following configSection as the first top element of <configuration>.
      <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089" />


    1. Add the following IdentityModel element under the <configuration> element.
      <add value="http://localhost:64828/Service1.svc" />
      </audienceUris><issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
      <authority name="">
      <add thumbprint="36EEE409D410EEC004C2A6680D6B745127381ED8" />
      <add name="https://<your idp domain>:8443/nidp/wstrust/sts" />
      <certificateValidation certificateValidationMode="None" />

      Some Important Entries in this configuration are

        1. http://localhost:64828/Service1.svc. This is the address of your service. To this address only the NAM STS will issue token to. This directly should map to AppliesTo element of RST and this should be configured in NAM STS as mentioned below.

        1. remove certificateValidation element if you are using a trusted certificate.

        1. change your idp domain in the issuer.

        1. thumbprint of NAM STS's signing certificate.


    1. For the above ValidatingIssuerNameRegistry to work, you have to add an extention to your project. You can right click on "References", click "NuGet Reference", search "ValidatingIssuerNameRegistry" and add that reference.

Now you can run your service. If you are following in visual studio, right click on the project and click "View in Browser". This will start your application. You should see a page without error. You should be able to access the wsdl of the WCF service at http://localhost:65520/Service1.svc?wsdl. Also, verify that you see a <sp:IssuedToken> element in the wsdl.

Configuring a WCF Client application

      1. If you are following visual studio steps and creating the client application as well, then

          1. Right click on References in project explorer. Add Service Reference. Click Discover. Add the Service you have created above.

          1. This, by default, will add the following section under System.ServiceModel section of App.config.
            <endpoint address="http://localhost:65520/Service1.svc" binding="ws2007FederationHttpBinding"
            contract="ServiceReference1.IService1" name="WS2007FederationHttpBinding_IService1">
            <certificate encodedValue="AwAAAAE......xax1RRRSU" />

          1. Also, it will add a default ws2007FederationBinding under System.ServiceModel section.
            <binding name="WS2007FederationHttpBinding_IService1">
            <message establishSecurityContext="false" negotiateServiceCredential="false">
            <issuer address="" />
            <issuerMetadata address="" />
            <trust:SecondaryParameters xmlns:trust="">
            <trust:KeyType xmlns:trust=""></trust:KeyType>
            <trust:KeySize xmlns:trust="">256</trust:KeySize>
            <trust:KeyWrapAlgorithm xmlns:trust=""></trust:KeyWrapAlgorithm>
            <trust:EncryptWith xmlns:trust=""></trust:EncryptWith>
            <trust:SignWith xmlns:trust=""></trust:SignWith>
            <trust:CanonicalizationAlgorithm xmlns:trust=""></trust:CanonicalizationAlgorithm>
            <trust:EncryptionAlgorithm xmlns:trust=""></trust:EncryptionAlgorithm>

          1. Now, we will edit this further to request right token from Nam STS.


      1. Open your application App.config or <appname>.exe.config.


      1. Add a ws2007Binding with username/password authentication as below, under <system.serviceModel><bindings> section.
        <binding name="unamepwdBinding">
        <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" establishSecurityContext="false" ></message>


      1. Shange the "address" attribute of <issuer> element to "https://<your idp_dns>:8443/nidp/wstrust/sts"


      1. Add the following attributes to the <issuer> element.


      1. Now we need to supply the username/pwd for authentication. If you have already developed the client application. You would have added a mechanism to read the username/pwd from some configuration location. Make sure that the user enters the eDirectory username and password configured in Identity Provider.


      1. If you are developing client application, one way to add is, edit Program.cs file.

          1. Create the client proxy for your service as below.

          1. Add the following lines to main.var service = new ServiceReference1.Service1Client();
            service.ClientCredentials.UserName.UserName = "usr1";
            service.ClientCredentials.UserName.Password = "pwdl";

Now you can run the application and you should see an output "10".

Configuring NetIQ Access Manager to issue tokens for above service

The following steps explain how to configure NetIQ Access Manager to issue tokens for the above created WCF Service.

    1. Open Administration Console of NetIQ Access Manager. http://<your_ac>:8080/nps


    1. Go to Identity Provider -> <your cluster config> -> Edit -> Ws-Trust -> <your_domain> -> Service Providers -> New


    1. Enter the following details.

        1. Name: http://localhost:65520/Service1.svc

        1. EndPoint: http://localhost:65520/Service1.svc

        1. Token Type: SAML2

        1. Encrypt Token Using: <browse and select the certificate you created while configuring the WCF service>

        1. Attribute Sets: Move the Cardspace from "Available" to "Selected" list.


    1. Click OK and "Update All".


1. Packet capture and see proper RequestSecurityToken is going between client and NAM STS. The flow between the Client and WCF service has the token 2. If you are not getting token, enable debug logging in NIDP of NetIQ Access Manager and follow catalina.out. 3. If the token is not accepted by WCF service,

    1. Add the following to WCF web.config under System.Service Model.
      <endToEndTracing propagateActivity="true" activityTracing="true"
      messageFlowTracing="true" />


    1. And also add the following under <configuration> section. After that create a directory C:\logs.<system.diagnostics>
      <source name="System.IdentityModel" switchValue="Verbose">
      <add type="System.Diagnostics.DefaultTraceListener" name="Default">
      <filter type="" />
      <add name="wif">
      <filter type="" />
      <source logKnownPii="false" name="System.ServiceModel.MessageLogging"
      <add type="System.Diagnostics.DefaultTraceListener" name="Default">
      <filter type="" />
      <add name="wcf">
      <filter type="" />
      <source propagateActivity="true" name="System.ServiceModel" switchValue="Warning, ActivityTracing">
      <add type="System.Diagnostics.DefaultTraceListener" name="Default">
      <filter type="" />
      <add name="wcf">
      <filter type="" />
      <add initializeData="C:\logs\WCF3.xml" type="System.Diagnostics.TextWriterTraceListener, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
      <filter type="" />
      <add initializeData="C:\logs\WIF3.xml" type="System.Diagnostics.TextWriterTraceListener, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
      <filter type="" />
      <trace autoflush="true" />


When tested the sample with latest Access Manager 4.2, I found following issues and solutions.

    • If you have configured WCF Service -> ws2007FederationHttpBinding -> .. claimTypeRequirements with Claims, then at Access Manager, the same claims have to be configured in the WSTrust -> ServiceProviders. Otherwise, you will get a weird error "EndElement" in xml reached.


    • You have to configure right thumbprints if you are configuring issuerNameRegistry for validating token.  Note, the thumbprint has to be in upper case. Otherwise, you will get again weird error cannot find key mapping for issuer "https://..."


    • For importing certificate into wherever you are running the wcf service, first export the certificate from NAM Admin Console -> Certificates. For WS-Trust encryption certificate, export both public/private key pair.  And then, export the public key used for signing (IDP Cluster -> Security -> Signing).  Also export the CA certificate if you are using self signed certificate. For importing to windows machine, use certmgr.msc.  Import all certificates into Personal keystore. Import CA certificate into Trusted Roots. To get thumbprint, open the certificate and go to details.  Copy values of Thumbprint, you have to remove spaces and capitalize the letters in the thumbprint.



How To-Best Practice
Comment List