DCSIMG
November 2011 - Posts - Manu Cohen-Yashar's Blog

Manu Cohen-Yashar's Blog

November 2011 - Posts

Why Windows Server AppFabric Monitoring does not work

I wanted to demonstrate how Windows Server AppFabric Monitoring works for WCF services, but when I called my services I did not see any recording of any WCF call. Why? 
It took me some time to find the problem. To make the story short. AppFabric monitoring relies on SQL Agent.

WCF event are written to a database that is set when we configure AppFabric Hosting Service.

image

image

This information is written to the "ApplicationServerMonitoringConnectionString" connection string in the root web.config of the server

When the system is working properly, WCF events are written to the ASStagingTable table in the monitoring database and then move into the ASWcfEvents view. For SQL Express, this will happen using the SQL Broker. For other SQL Server products, the SQL Agent is responsible for moving the events. So if you want AppFabric monitoring to work the broker must enabled for SqlExpress and the SQL Agent must be running for other SQL servers.

A found I great document for troubleshooting Windows Server AppFabric here.

Hope this helps

Manu

Posted: Nov 30 2011, 04:00 PM by Manu Cohen-Yashar | with no comments
תגים:

Windows SDK 1.6 was released

Windows Azure SDK 1.6 was released a couple of days ago - it's the November release. It includes updates to the Windows Azure Tools for Visual Studio 2010 and Windows Azure Libraries for .NET, in addition to other fixes and performance improvements.

The entire Windows Azure SDK 1.6 is available for download. The Windows Azure Tools for Visual Studio 2010 can be obtained separately via the Web Platform Installer.

The objective with this update to the tools for Visual Studio 2010 is to make it possible for developers to manage all aspects of application creation and deployment from within Visual Studio, rather than having to create services, manage configuration and multiple environments from the Azure developer portal. Some features this release include:

  • Improved In-Place Updates
  • Multiple profile support (publish settings, cloud configuration and build configuration will all be stored in MSBuild files)
  • Ability to create hosted services and Azure storage accounts from within Visual Studio
  • Publishing improvements (developers can use a publish settings file rather than having to connect to the Windows Azure portal)
  • More verbose Activity Logs
  • Streamlined Remote Desktop connectivity (no need to upload a certificate)
  • Ability to use multiple Windows Azure Subscriptions
  • Team Build supports command-line application packaging

In addition to the Visual Studio Tools, the SDK includes updates to the Windows Azure Compute and Storage Emulators and the Windows Azure Libraries for .NET 1.6. Service Bus and caching client libraries have been updated and no longer require separate installation (this was previously known as the Windows Azure AppFabric SDK).

The November release also adds modules for working with the new Windows Azure HPC Scheduler SDK.

Manu

Posted: Nov 23 2011, 03:34 PM by Manu Cohen-Yashar | with 1 comment(s)
תגים:

Securing AppFabric Service bus with ACS

I was working with a customer that wanted to use AppFabric Topics to push notifications to clients. as We all know anyone who wants to listen or send messages using service bus has to authenticate first. Traditionally authentication to the service bus was done by presenting a secret key before a connection was established.It is reasonable to put the secret key in a software package deployed on a server (Some can argue with that and say it is a security violation) but providing the key to numerous clients? This is a true security breach.

So How can we make clients listen on the service bus without having to provide them with our secret key?

Access Control Service is the solution.
The new version of Service bus which was released few weeks ago uses ACS to federate its authentication. We can use ACS to create new identities or federate with other identity providers so the actual user can use its own credentials to get a token that can be used against service bus. We can assign different permissions to the service bus users. It is possible to give listen, send, and manage permissions so we can make sure that users can execute only the actions we allow them to.

How do we set this?

Well for each service bus namespace (such as "manublog") a twin namespace (e.g. "manublog-sb") is created in ACS.
Let us open the management portal for service bus and select out namespace. By pressing on the Access Control Service button the portal of ACS for the twin namespace will be opened.

image

image

here we can register other identity providers that we want to federate with (such as a custom STS or ADFS 2.0)

In the relying party section we register the uri of the service bus resource we want to expose to our user. For example a queue a topic or a relay service (e.g. http://manublog.servicebus.windows.net/mytopic/subscriptions/manu)

In the rule group section we add rules that will be used to create a claim of type "net.windows.servicebus.action" with the value "Listen or Send or Manage".

In the portal we will find a definition of a relying party referencing the root of our service bus namespace. we can reference that as an example for defining new relying parties.

image

In the namespace there are existing rules for the super user "owner" that have full access to the entire namespace. we can reference these rules as examples for creating new ones. 

image

In the portal we will find the definition of the super user "owner"
We can reference this as an example for our new identities definition.

image

Clemens Vasters recorded a great video describing all these capabilities in details. I strongly recommend to watch it.

To summarize

ACS is now integrated with AppFabric Service bus. This allows us to have full control who will use our communication channels implemented in service bus without exposing our secrets.

Enjoy

Manu

Posted: Nov 23 2011, 02:31 PM by Manu Cohen-Yashar | with 1 comment(s)
תגים:, ,

Using AppFabric Azure Topics

Recently the AppFabric team released real pub-sub capabilities with the new queues and topics features.

Queues are simple. AppFabric provides a queue for durable messaging between senders and receivers. Topics are interesting because they allows to create different subscriptions so different clients can receive only the messages they need.

To demonstrate how to use topics I created two helper classes: Senders and Receiver that will send and receive messages using AppFabric Topics.

Sender
  1. /// <summary>
  2.     /// Send messages to AppFabric Topic
  3.     /// </summary>
  4.     /// <typeparam name="T"></typeparam>
  5.     public class ServiceBusSender<T> : IBrokeredMessageSender<T>
  6.     {
  7.         private string m_ServiceNamespace;
  8.         private string m_IssuerName;
  9.         private string m_IssuerKey;
  10.         private Uri m_serviceUri;
  11.         private TokenProvider m_tokenProvider;
  12.         private TopicDescription m_topicDescriptor;
  13.  
  14.         /// <summary>
  15.         /// Constructor
  16.         /// </summary>
  17.         /// <param name="topicName">The name of the topic to use</param>
  18.         public ServiceBusSender(string topicName)
  19.         {
  20.             m_ServiceNamespace = ServiceBusConfigurationAccessor.AppFabricServiceNamespace;
  21.             m_IssuerName = ServiceBusConfigurationAccessor.AppFabricIssuerName;
  22.             m_IssuerKey = ServiceBusConfigurationAccessor.AppFabricIssuerKey;
  23.  
  24.             m_tokenProvider = TokenProvider.CreateSharedSecretTokenProvider(m_IssuerName, m_IssuerKey);
  25.             m_serviceUri = ServiceBusEnvironment.CreateServiceUri("sb", m_ServiceNamespace, string.Empty);
  26.             NamespaceManager namespaceManager = new NamespaceManager(m_serviceUri, m_tokenProvider);
  27.  
  28.             if (!namespaceManager.TopicExists(topicName))
  29.                 m_topicDescriptor = namespaceManager.CreateTopic(topicName);
  30.             else
  31.                 m_topicDescriptor = namespaceManager.GetTopic(topicName);
  32.            
  33.         }      
  34.  
  35.         /// <summary>
  36.         /// Send a message to the topic
  37.         /// </summary>
  38.         /// <param name="messageContent"></param>
  39.         public void SendMessage(T messageContent)
  40.         {
  41.             Contract.Requires(messageContent != null);
  42.  
  43.             MessagingFactory factory = MessagingFactory.Create(m_serviceUri, m_tokenProvider);
  44.             TopicClient myTopicClient = factory.CreateTopicClient(m_topicDescriptor.Path);
  45.             BrokeredMessage message = new BrokeredMessage(messageContent);
  46.  
  47.             //All the message's properties are propagated so they can be used in a Sql Filter
  48.             foreach (var prop in typeof(T).GetProperties())
  49.             {
  50.                 message.Properties.Add(prop.Name, prop.GetValue(messageContent, null));
  51.             }
  52.  
  53.             myTopicClient.Send(message);
  54.             myTopicClient.Close();
  55.         }
  56.  
  57.     }

As you can see the sender creates the topic (if it does not exist already). A messaging factory to create a client that can send messages to the topic. For that we need to supply the credentials for our namespace when we create the factory. To send a message to the topic we have to wrap our data in a BrokeredMessage. One of the capabilities we gain when doing that is properties propagation. A propagated property can participate a sql-like rule for filtering messages (will be defined by the client's subscription). In this sender we propagate all the properties. In real life you might choose to propagate only a the properties that participate in filtering because propagation costs.

Receiver
  1. /// <summary>
  2.     /// Listen on an AppFabric service bus topic. One receiver can listen on multiple subscriptions
  3.     /// </summary>
  4.     /// <typeparam name="T"></typeparam>
  5.     public class ServiceBusReceiver<T> : IBrokeredMessageReceiver<T>
  6.     {
  7.         private string m_ServiceNamespace;
  8.         private string m_IssuerName;
  9.         private string m_IssuerKey;
  10.         private Dictionary<string, SubscriptionClient> m_subscriptions;
  11.         private MessagingFactory m_factory;
  12.         private Uri m_serviceUri;
  13.         private TokenProvider m_tokenProvider;
  14.  
  15.         /// <summary>
  16.         /// The name of the topic to use
  17.         /// </summary>
  18.         public string TopicName { get; set; }
  19.    
  20.    
  21.         /// <summary>
  22.         /// Constructor
  23.         /// </summary>
  24.         /// <param name="topicName">The name of the topic to listen to</param>
  25.         public ServiceBusReceiver(string topicName)
  26.         {
  27.             m_subscriptions = new Dictionary<string, SubscriptionClient>();
  28.             m_ServiceNamespace = ServiceBusConfigurationAccessor.AppFabricServiceNamespace;
  29.             m_IssuerName = ServiceBusConfigurationAccessor.AppFabricIssuerName;
  30.             m_IssuerKey = ServiceBusConfigurationAccessor.AppFabricIssuerKey;
  31.             m_tokenProvider = TokenProvider.CreateSharedSecretTokenProvider(m_IssuerName, m_IssuerKey);
  32.             m_serviceUri = ServiceBusEnvironment.CreateServiceUri("sb", m_ServiceNamespace, string.Empty);
  33.             m_factory = MessagingFactory.Create(m_serviceUri, m_tokenProvider);
  34.             TopicName = topicName;
  35.         }
  36.  
  37.         /// <summary>
  38.         /// Create a new subscription
  39.         /// </summary>
  40.         /// <param name="subscriptionName">The name of the subscription to create</param>
  41.         /// <param name="filter">filter to use for filtering messages</param>
  42.         public void InitSubscription(string subscriptionName, Filter filter=null)
  43.         {
  44.             Contract.Requires(!string.IsNullOrEmpty(subscriptionName));
  45.             Contract.Requires(!string.IsNullOrEmpty(TopicName), "Topic name must be provided. Use the receiver's TopicName property");
  46.                        
  47.             var namespaceManager = new NamespaceManager(m_serviceUri, m_tokenProvider);
  48.            
  49.             if (!namespaceManager.TopicExists(TopicName))           
  50.                 namespaceManager.CreateTopic(TopicName);
  51.  
  52.             if (!namespaceManager.SubscriptionExists(TopicName, subscriptionName))
  53.             {
  54.                 filter = (filter == null) ? new TrueFilter() : filter;                    
  55.                 namespaceManager.CreateSubscription(TopicName, subscriptionName, filter);               
  56.             }
  57.             
  58.             if (!m_subscriptions.ContainsKey(subscriptionName))
  59.                 m_subscriptions.Add(subscriptionName, m_factory.CreateSubscriptionClient(TopicName, subscriptionName, ReceiveMode.ReceiveAndDelete));
  60.         }
  61.  
  62.         /// <summary>
  63.         /// Delete a new subscription from the topic
  64.         /// </summary>
  65.         /// <param name="subscriptionName">The name of the subscription to delete</param>
  66.         public void DeleteSubscription(string subscriptionName)
  67.         {
  68.             Contract.Requires(!string.IsNullOrEmpty(subscriptionName));
  69.             Contract.Requires(!string.IsNullOrEmpty(TopicName), "Topic name must be provided. Use the receiver's TopicName property");
  70.  
  71.  
  72.             var namespaceManager = new NamespaceManager(m_serviceUri, m_tokenProvider);
  73.             if (namespaceManager.TopicExists(TopicName) && namespaceManager.SubscriptionExists(TopicName, subscriptionName))
  74.                 namespaceManager.DeleteSubscription(TopicName, subscriptionName);
  75.         }
  76.  
  77.  
  78.         /// <summary>
  79.         /// Start listening on a subscription
  80.         /// </summary>
  81.         /// <param name="subscriptionName">The name of the subscription to listen to</param>
  82.         /// <param name="processMessage">A function to trigger for each comming message</param>
  83.         public void ReceiveMessages(string subscriptionName, Action<T> processMessage)
  84.         {
  85.             Contract.Requires(!string.IsNullOrEmpty(subscriptionName));
  86.             Contract.Requires(m_subscriptions.ContainsKey(subscriptionName));
  87.  
  88.             try
  89.             {
  90.                 Task.Factory.StartNew(() =>
  91.                 {
  92.                     while (m_subscriptions.ContainsKey(subscriptionName))
  93.                     {
  94.                         BrokeredMessage message;
  95.                         while ((message = m_subscriptions[subscriptionName].Receive(TimeSpan.FromSeconds(5))) != null)
  96.                         {
  97.                             processMessage(message.GetBody<T>());
  98.                         }
  99.                     }
  100.                 });
  101.             }
  102.             catch (Exception ex)
  103.             {
  104.                 // Log this
  105.                 throw;
  106.             }
  107.             
  108.         }
  109.  
  110.  
  111.         /// <summary>
  112.         /// Stop Listening on a subscription and delete it from the current subscriptions list
  113.         /// </summary>
  114.         /// <param name="subscriptionName">The name of the subscription</param>
  115.         public void StopReceiveNessages(string subscriptionName)
  116.         {
  117.             if (!m_subscriptions.ContainsKey(subscriptionName))
  118.                 return;
  119.  
  120.             var subscriptionClient = m_subscriptions[subscriptionName];
  121.  
  122.             if ((subscriptionClient != null) && (!subscriptionClient.IsClosed))
  123.                 subscriptionClient.Close();
  124.  
  125.             subscriptionClient = null;
  126.             m_subscriptions.Remove(subscriptionName);
  127.         }
  128.  
  129.     
  130.     }

The receiver can handle a collection of subscriptions. (Use InitSubscription to create one).
After a subscription is created call ReceiveMessages and provide a method to run for each message received. The receiver will constantly pool the topic and wait for a message as long as the subscription exist. When a message arrives it will extract the data object out of the brokered message at trigger the method you provided on the data.

The following test demonstrate how to use the sender and receiver.

Code Snippet
  1. [TestMethod]
  2.         public void ServiceBusSenderAndReceiverTest()
  3.         {
  4.             var sender = new ServiceBusSender<TestMessage>("testTopic");
  5.             var receiver = new ServiceBusReceiver<TestMessage>("testTopic");
  6.             var finished = new AutoResetEvent(false);            
  7.  
  8.             receiver.InitSubscription("testSubscription");
  9.             receiver.ReceiveMessages("testSubscription",
  10.                 (msg) => { Assert.AreEqual(39, msg.Age); Assert.AreEqual("manu", msg.Name); finished.Set(); });
  11.             sender.SendMessage(new TestMessage() { Name = "manu", Age = 39 });               
  12.  
  13.             finished.WaitOne();
  14.             receiver.DeleteSubscription("testSubscription");
  15.         }


Enjoy

Manu

Posted: Nov 17 2011, 03:54 PM by Manu Cohen-Yashar | with no comments
תגים:,

Dynamic metadata for custom STS

Security Token Services (STS) expose metadata in a special metadata files. Usually the file is exposed to the web in the address baseStsAddress/FederationMetadata/2007-06/FederationMetadata.xml  so typical customers can download the file and fetch the information required to use the STS.

The metadata file contain information about the endpoints exposed, the claims the STS can produce, the signing key and algorithms.
Producing the metadata file is not trivial this is why we do not want to do this manually each time something changes in our custom STS. So instead of creating a real (static) metadata file we will create a mechanism that will produce the metadata file automatically each time someone will request it.

The best approach to do that is simply to create a custom Http handler that will do the job.
So lets do it…





Code Snippet




    

  1. /// <summary>
    2. 

  2.     /// Handler to dynamicaly create the federation metadata document
    3. 

  3.     /// </summary>
    4. 

  4.     public class FederationMetadataHandler : IHttpHandler    
    5. 

  5.     {        
    6. 

  6.         public void ProcessRequest(HttpContext context)        
    7. 

  7.         {            
    8. 

  8.             context.Response.ClearHeaders();             
    9. 

  9.             context.Response.Clear();            
    10. 

  10.             context.Response.ContentType = "text/xml";
    11. 

  11.             CustomSecurityTokenServiceConfiguration.Current.SerializeMetadata(context.Response.OutputStream);        
    12. 

  12.         }         
    13. 

  13.         public bool IsReusable { get { return false; } }    
    14. 

  14.     }
    15.

Inside the CustomSecurityTokenConfiguration (see how to create a custom STS) let us add the following methods.

Code Snippet
  1. /// <summary>
  2.         /// Create the metadata document for this STS
  3.         /// </summary>
  4.         /// <param name="stream"></param>
  5.         public void SerializeMetadata(Stream stream)
  6.         {
  7.             var context = HttpContext.Current;
  8.             var baseUri = new Uri(new Uri(context.Request.Url.AbsoluteUri), context.Request.ApplicationPath);
  9.  
  10.             if (entity == null)
  11.                 entity = GenerateEntities(baseUri.AbsoluteUri);
  12.  
  13.             context.Response.ContentEncoding = Encoding.UTF8;
  14.             context.Response.ContentType = "text/xml";
  15.             context.Response.ContentEncoding = Encoding.UTF8;
  16.             var ser = new MetadataSerializer();
  17.             ser.WriteMetadata(context.Response.OutputStream, entity);           
  18.         }
  19.  
  20.         private EntityDescriptor GenerateEntities(string baseUri)
  21.         {
  22.            
  23.             SecurityTokenServiceDescriptor sts = GetTokenServiceDescriptor(baseUri);
  24.             FillOfferedClaimTypes(sts.ClaimTypesOffered);            
  25.             FillSupportedProtocols(sts);
  26.  
  27.             var entity = new EntityDescriptor(new EntityId(string.Format("{0}/activeSTS.svc", baseUri))) { SigningCredentials = this.SigningCredentials };
  28.             entity.RoleDescriptors.Add(sts);
  29.             return entity;
  30.         }
  31.  
  32.  
  33.         private SecurityTokenServiceDescriptor GetTokenServiceDescriptor(string baseUri)
  34.         {           
  35.             var tokenService = new SecurityTokenServiceDescriptor();
  36.             tokenService.ServiceDescription = "NiceSTS";
  37.  
  38.             KeyDescriptor signingKey = new KeyDescriptor(this.SigningCredentials.SigningKeyIdentifier) { Use = KeyType.Signing };
  39.             tokenService.Keys.Add(signingKey);          
  40.  
  41.             EndpointAddress activeEndpoint = new EndpointAddress(string.Format("{0}/activeSTS.svc", baseUri));
  42.             tokenService.SecurityTokenServiceEndpoints.Add(activeEndpoint);
  43.             tokenService.TargetScopes.Add(activeEndpoint);          
  44.  
  45.             return tokenService;
  46.         }
  47.  
  48.  
  49.         private void FillSigningKey(SecurityTokenServiceDescriptor sts)
  50.         {
  51.             KeyDescriptor signingKey = new KeyDescriptor(this.SigningCredentials.SigningKeyIdentifier) { Use = KeyType.Signing };
  52.             sts.Keys.Add(signingKey);
  53.         }
  54.  
  55.         private void FillSupportedProtocols(SecurityTokenServiceDescriptor sts)
  56.         {
  57.             sts.ProtocolsSupported.Add(new System.Uri(WSFederationConstants.Namespace));
  58.         }
  59.         
  60.                
  61.         private void FillOfferedClaimTypes(ICollection<DisplayClaim> claimTypes)
  62.         {
  63.             claimTypes.Add(new DisplayClaim(WSIdentityConstants.ClaimTypes.Name, "Name", ""));
  64.             claimTypes.Add(new DisplayClaim(NICE.CustomSTS.ClaimTypes.TenantId, "TenantId", ""));
  65.             claimTypes.Add(new DisplayClaim(Microsoft.IdentityModel.Claims.ClaimTypes.Role, "Role", ""));             
  66.         }

Now we need to attach the custom handler and we are done.

 <location path="FederationMetadata/2007-06">
    <system.webServer>
      <handlers>
        <add  name="MetadataGenerator"  path="FederationMetadata.xml"   
              verb="GET" type="MyCustomSTS.FederationMetadataHandler" />
      </handlers>
    </system.webServer>
    <system.web>
      <!--<customErrors mode="Off"/>-->
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Hope this helps

Manu

Posted: Nov 16 2011, 10:35 PM by Manu Cohen-Yashar | with 1 comment(s)

Disable SSL Certificate Negotiation Validation

SSL is required for a growing number of scenarios yet a public certificate which is produced by a trusted certificate authority is not always available. In such scenarios we use self signed certificates. The problems with these certificates is that all certificate validation mechanisms will fail. To overcome that we need to do the following:

1. Disable WCF certificate validation

      <endpointBehaviors>
        <behavior name="clientBehavior">
          <clientCredentials>
            <serviceCertificate>
              <authentication certificateValidationMode="None"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>

2. Disable Http certificate validation

 ServicePointManager.ServerCertificateValidationCallback =
     new RemoteCertificateValidationCallback(delegate  { return true;  });

3. Make sure that the domain name (of the site or service we call) and the certificate name that power the SSL channel must match.

Hope this helps

Manu

Posted: Nov 16 2011, 02:24 PM by Manu Cohen-Yashar | with 1 comment(s)

Convert SAML token to SWT token using ACS

In Claim based applications we use token to provide the application (Relying party) with details (a collection of claims) about the the authenticated identity.

In ASP.net web sites and WCF SOAP services SAML tokens are used as a container for the claims. SAML is a standard that describe how token and claims are constructed and how they are cryptographically protected using digital signature and encryption. SAML tokens are powerful yet they are large. The size of the token is not a real issue in ASP.Net web sites as well as in SOAP WCF services but for REST web services it is a problem.

The solution is a simpler and shorter token called SWT token (Simple Web Token). SWT is a simple header we attach to the http request sent to our REST service. The header contains a set of key value pairs. Of course SWT have a format we need to follow. It is protected with SHA256 HMACs and follow the spec that can be found here.

Constructing the token is not complicated but it is tedious. AppFabric Access Control Service can help here. It can transform SAML tokens to SWT tokens or create brand new SWT tokens for users it manages. (see the following sample)

To transform SAML tokens to SWT tokens we first need to get a SAML token. To do that we need to build a custom STS or a use ADFS 2.0. (In future posts I will not describe how to build a custom STS.)

Now we need to go to the ACS portal and create a configuration for our application.
we have to create a namespace for access control service if we haven't done that previously and then press "access control service"

image

Now we define an Identity provider (our custom STS that produce SAML tokens), a relying party (our application) for which we define that we want to generate SWT tokens, 

image

and finally we define rule groups that defines how to construct the SWT token based on the information provided by the SAML token provided.

Now our application needs to call the custom STS and retrieve the SAML Token.

 /// <summary>
 /// Call an STS and get a SAML Token
 /// </summary>
 // <param name="stsAddress">The name of the sts that generates the SAML token</param>
 /// <param name="acsStsAddress">The ACS endpoint that will accept the SAML token that will be generated</param>
 /// <param name="username">username with which the client authenticate to the STS</param>
 /// <param name="password">password with which the client authenticate to the STS</param>
 /// <returns></returns>
 public static string GetSamlAssertion(string stsAddress, string acsStsAddress, string username, string password)
 {
   var trustChannelFactory = new WSTrustChannelFactory("CustomSTSEP");
   trustChannelFactory.Credentials.UserName.UserName = username;
   trustChannelFactory.Credentials.UserName.Password = password;
 
   RequestSecurityToken rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue,
                                                                WSTrust13Constants.KeyTypes.Bearer);
   rst.AppliesTo = new EndpointAddress(acsStsAddress); 
   rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.Saml2TokenProfile11;
 
   WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
 
   GenericXmlSecurityToken token = channel.Issue(rst) as GenericXmlSecurityToken;
   return token.TokenXml.OuterXml;
 }
//this is the configuration I used:
<client>
      <endpoint name = "CustomSTSEP"
                address="https://localhost/MySTS/activeSTS.svc/username_over_transport"
                binding="ws2007HttpBinding"
                bindingConfiguration="IdentityProviderBindingConfiguration"
                contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract">       
      </endpoint>
</client>
<bindings>
      <ws2007HttpBinding>
        <binding name="IdentityProviderBindingConfiguration">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" />
            <message clientCredentialType="UserName" establishSecurityContext="false" />
          </security>
        </binding>
      </ws2007HttpBinding>
 </bindings>
 <behaviors>
      <endpointBehaviors>
        <behavior name="clientBehavior">
          <clientCredentials>
            <serviceCertificate>
              <authentication certificateValidationMode="None"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
 </behaviors>

Once we hold the SAML Token we can send it to the ACS and get the SWT token we need.

/// <summary>
/// Get a SWT Token from Appfabric ACS using a SAML token that was previously generated
/// </summary>
/// <param name="scope">The realm of the application (RP) to which the token is generated</param>
/// <param name="samlAssertion">The SAML token that will be transformed to SWT token</param>
/// <returns></returns>
public static string GetSwtTokenFromACS(string scope, string samlAssertion)
{
  // request a token from ACS   WebClient client = new WebClient();   client.BaseAddress = 
      string.Format("https://{0}.{1}", ACSNamespace, "accesscontrol.windows.net");   var values = new NameValueCollection   {       { "wrap_assertion_format", "SAML"},       { "wrap_assertion", samlAssertion },       { "wrap_scope", scope }   };   byte[] responseBytes = null;   try   {        responseBytes = client.UploadValues("WRAPv0.9/", "POST", values);   }   catch (WebException ex)   {       var reader = new StreamReader(ex.Response.GetResponseStream());       Logger.Instance.WriteCritical(ex, reader.ReadToEnd());                  }   string response = Encoding.UTF8.GetString(responseBytes);  return HttpUtility.UrlDecode(                 response                 .Split('&')                 .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))                 .Split('=')[1]);
}

Now we can call our REST service…

 WebClient client = new WebClient();  string headerValue = string.Format("WRAP access_token=\"{0}\"", swttoken);  client.Headers.Add("Authorization", headerValue);  Stream stream = client.OpenRead(address);

Enjoy

Manu

 
Posted: Nov 16 2011, 11:30 AM by Manu Cohen-Yashar | with no comments
תגים:, , , , ,