Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
In this article, we will be providing the steps for configuring a Windows WCF Web Service application and configuring a WCF client application for authenticating and accepting tokens from NetIQ Access Manager WS-Trust.
We will be having a webservice exposed through .NET WCF framework. This will be configured to authorize users based on Tokens issued by trusted STS. We will also have a .net based client which accesses this WCF service. We will configure both the service and client to accept tokens from NetIQ Access Manager WS-Trust STS.
This article assumes you have the following software installed to follow the article.
This step is optional if you already have a working WCF Service and Client.
Now you have two projects created. You can see Web.config in the Service application. And you can see the App.config file in the Client application. We will be modifying these files in next sections to enable claims based authentication and accept claims from NetIQ Access Manager.
If you already have a WCF Service application and a Client application, you need to edit <your-application-name>.exe.config for client and web.config of your WCF Service.
<serviceCredentials useIdentityConfiguration="true">
<serviceCertificate findValue="CN=test-encryption" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySubjectDistinguishedName" />
<issuedTokenAuthentication trustedStoreLocation="CurrentUser" />
</serviceCredentials>
<add scheme="http" binding="ws2007FederationHttpBinding" />
<bindings>
<ws2007FederationHttpBinding>
<binding name="nambinding">
<security mode="Message" >
<message establishSecurityContext="false" issuedKeyType="SymmetricKey"
negotiateServiceCredential="false" algorithmSuite="Default" >
<issuerMetadata address="https://<your_idp_domain>:8443/nidp/wstrust/sts/mex" />
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="http://localhost:64828/Service1.svc" />
</audienceUris><issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://namtest.com:8443/nidp/wstrust/sts">
<keys>
<add thumbprint="36EEE409D410EEC004C2A6680D6B745127381ED8" />
</keys>
<validIssuers>
<add name="https://<your idp domain>:8443/nidp/wstrust/sts" />
</validIssuers>
</authority>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
Now you can run your service. If you are following in visual studio, right click on the project and click "View in Browser". This will start your application. You should see a page without error. You should be able to access the wsdl of the WCF service at http://localhost:65520/Service1.svc?wsdl. Also, verify that you see a <sp:IssuedToken> element in the wsdl.
<client>
<endpoint address="http://localhost:65520/Service1.svc" binding="ws2007FederationHttpBinding"
bindingConfiguration="WS2007FederationHttpBinding_IService1"
contract="ServiceReference1.IService1" name="WS2007FederationHttpBinding_IService1">
<identity>
<certificate encodedValue="AwAAAAE......xax1RRRSU" />
</identity>
</endpoint>
</client>
<ws2007FederationHttpBinding>
<binding name="WS2007FederationHttpBinding_IService1">
<security>
<message establishSecurityContext="false" negotiateServiceCredential="false">
<issuer address="http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous" />
<issuerMetadata address="https://namtest.com:8443/nidp/wstrust/sts" />
<tokenRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="unamepwdBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" ></message>
</security></binding>
</ws2007HttpBinding>
binding="ws2007HttpBinding"
bindingConfiguration="unamepwdBinding"
Now you can run the application and you should see an output "10".
The following steps explain how to configure NetIQ Access Manager to issue tokens for the above created WCF Service.
1. Packet capture and see proper RequestSecurityToken is going between client and NAM STS. The flow between the Client and WCF service has the token 2. If you are not getting token, enable debug logging in NIDP of NetIQ Access Manager and follow catalina.out. 3. If the token is not accepted by WCF service,
<diagnostics>
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="false"
logMessagesAtTransportLevel="true"
maxMessagesToLog="2147483647"
maxSizeOfMessageToLog="2147483647"
/>
<endToEndTracing propagateActivity="true" activityTracing="true"
messageFlowTracing="true" />
</diagnostics>
<sources>
<source name="System.IdentityModel" switchValue="Verbose">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="wif">
<filter type="" />
</add>
</listeners>
</source>
<source logKnownPii="false" name="System.ServiceModel.MessageLogging"
switchValue="Verbose">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="wcf">
<filter type="" />
</add>
</listeners>
</source>
<source propagateActivity="true" name="System.ServiceModel" switchValue="Warning, ActivityTracing">
<listeners>
<add type="System.Diagnostics.DefaultTraceListener" name="Default">
<filter type="" />
</add>
<add name="wcf">
<filter type="" />
</add>
</listeners>
</source>
</sources>
<sharedListeners>
<add initializeData="C:\logs\WCF3.xml" type="System.Diagnostics.TextWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="wcf">
<filter type="" />
</add>
<add initializeData="C:\logs\WIF3.xml" type="System.Diagnostics.TextWriterTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
name="wif">
<filter type="" />
</add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
When tested the sample with latest Access Manager 4.2, I found following issues and solutions.