I need to secure a WCF service and have the following limitations
Can use HTTPS
Must use basicHttpBinding
Must use custom username and password. No windows domain credentials or ASPNET membership is available.
Can you please let me if/how this can be done?
Thanks
Checkout WCF example: Using of self-hosted service with SSL
Related
I'm very new to the identity management world, so please spare me. :)
What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.
That way, I could use SSO for the client applications (I guess).
Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)?
I don't know if IdentityServer could help me with what I want?
And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?
Thank you for all the help. :)
I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).
What I finally did was the following (very briefly):
IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
As a side note, IdentityManager is used as an internal admin tool to manage all the users.
If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)
Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?
I'm guessing you want to use ASP.NET Identity for the provisioning?
IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.
This scenario is also close to what you need, take a look at the answers:
How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk
I also recommend reading this article:
Decouple OWIN Authorization Server from Resource Server
I have created web service and uploaded on to the server .Now I want to authenticate web service to avoid use of service by other users . How can i apply username and password to block use of service from other users?
I think you should use
[WebMethod(EnableSession=true)]
On your web method. If you are accessing from the same application.
Other wise you can ask some credential in the message body.
You can user soap Header to authenticate user.
Here is a good link
If you are working with WCF, there's an easy way to implement security using X509 certificates. Implementing a binding with security mode 'Message' and clientCredentialType 'Username' it's possible to guarantee this security in a automated way.
The validation can be made through a class wich overrides a method Validate.
How to: Use a Custom User Name and Password Validator
Building Secure Web Services
Securing Your ASP.NET Application and Web Services
OR
you can use of SOAP header to make secure your web service.
Refer below link for SOAP header example.
Authentication for Web Services (using SOAP headers)
I hope it will help you.
I will soon need to add SSO to an ASP.NET app using SAML. The client will not provide access to their Shibboleth identity provider for testing, so I'll need to verify that SSO works myself.
What would be the easiest method to use/setup a SAML identity provider for testing? I'm not keen on having to setup an infrastructure myself if I don't have to.
I'm planning on using a SAML component from http://www.componentspace.com/
If you are a SaaS Provider - Check out "Getting Ping Certified"
http://www.pingidentity.com/partners/becomeapartner.cfm
All your suggestions look quite helpful.
For others who may find this page, the ComponentSpace SAML 2.0 component comes with an Identity Provider that appears to mimic Shibboleth. This appears to be the easiest way to test adding SSO to your own application.
i'd like to recieve comments on the way i'm trying to build an asp.net web application which uses a WCF service that is hosted in another asp.net application. Both applications will live on the same machine, but the app with the WCF service will not be accessible from the outside. there will be two web servers sharing the load behind a load balancer.
The app pool of both applications will use the same local user account (web server is not part of a domain) and so i was thinking to use WsHttpBinding with windows security for communication between client and internal wcf service.
The fron-end asp.net app uses forms authentication through a custom membership/role provider to athenticate and authorize users. The user database is in a sql server database.
i need to somehow pass to the wcf service the user details (username + roles) so that in the wcf it will be possible to validate and authorize according to the roles of who is logged in the front-end. I read i need to use "support tokens", but i haven't figured out how to use this.
I read also something about claims and WIF, which seems interesting but have no idea how i could use these in my scenario.
is there anyone who can give me recommendations about the architecture and maybe also show me how to pass the username to the wcf service and also show me if possible to use claims based authorization?
First of all, if both servers are behind the corporate firewall on a corporate LAN, I would strongly suggest using netTcpBinding instead of any http based binding. NetTcpBinding is much faster due to encoding the message in a binary format.
As for username / password: your ASP.NET front-end server could set the client credentials for the user calling for the WCF service - after all, the ASP.NET servers do have access to the ASP.NET membership database, don't they?
Or if you cannot pass on the user's credentials, you could pass on some headers to your WCF service that would describe the user - actually, you probably only ever need the user's unique ID - since the WCF service could fish out the rest of the info from the ASP.NET user database again, if really needed.
As for claims - I don't think they'd be a good idea here - you don't really have to deal with a multitude of different authorization schemes, and you're not using any federation (e.g. allowing users from a different company or domain to use your services) - so those obvious benefits probably won't really be applicable to your case.
My scenario is this - I have two ASP.net websites. Both sites run on the same machine and I have implemented single sign on relatively simply using the default asp.net membership provider (Forms based authentication).
I have a new WCF service on one site, which will be called from the other site. A user will be logged into the site, but the call to the service will be made from the codebehind following a postback.
Can somebody point me in the right direction so that I can pass through the Forms based credentials of the logged in user to the WCF service on the other site? Presently it's passing the NETWORKSERVICE windows credentials.
Check out the WCF Security Guidance on CodePlex, and most notably:
How To – Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF from Windows Forms
It shows quite nicely, step by step, what config you need on the server to make your WCF service use message security with user authentication against an ASP.NET membership store.
Also check out the article Fundamentals of WCF Security - page 3 shows the options about authentication and authorization - quite informative as well!
Hope this helps!
Sounds like you're after Impersonation, which would allow you to pass on the original caller's identity to the second service call.
See the CodePlex Link - Impersonation in WCF