WCF: Centralized authentication over binary bindings
I needed to (well, the nerd in me wanted to) centralize authentication to our SOA farm using an STS (Security Token Service). But since all our services are in-house and 95% of clients of those services are also in-house, we wanted to use binary bindings (TCP and Named Pipes). The only out-of-the-box binding that supports STS authentication is wsFederationHttpBinding, but that is obviously not a binary binding.
So I asked one of the leading authorities on WCF for help (Michele Leroux Bustamante), and she replied with this:
“You can create a custom binding that does federation over TCP. An example of such a binding is:
<custombinding> <binding name="netTcpBindingIssuedToken"> <security authenticationMode="IssuedTokenOverTransport"> <issuedtokenparameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" keyType="SymmetricKey" keySize="256"> <issuer address="http://localhost/STS/service.svc"/> </issuedtokenparameters> </security> <binarymessageencoding /> <sslstreamsecurity /> <tcptransport /> </binding> </custombinding>
Since I had absolutely no experience with custom bindings, i started googling. Not so helpful, it turns out. So I bought her book. Very helpful. Not only does it give a good explanation of custom bindings, but gives excellent insight into security and exception handling, which I (after reading her book) realized weren’t my strongest sides.
So to conclude; federated security over binary bindings is definitely possible, but if you are fairly new to this whole WCF thing, pick up a copy of “Learning WCF – A hands on guide“. You won’t regret it, it’s a very extensive but easily read book.
Various
