petar vucetin soa312 building secure web services using windows communication foundation tech...
DESCRIPTION
TRANSCRIPT
![Page 1: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/1.jpg)
![Page 2: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/2.jpg)
2
Building Secure Web Services Using Windows Communication Foundation
Petar VucetinSenior Software EngineerVertigo
Session Code: SOA312
![Page 3: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/3.jpg)
3
Agenda
Learn how to use standard WCF security mechanisms correctlyUnderstand appropriate scenarios for the various WCF security optionsUnderstand how to extend WCF security for custom applications
![Page 4: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/4.jpg)
4
![Page 5: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/5.jpg)
5
![Page 6: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/6.jpg)
6
Threat Modeling
CIA ConfidentialityIntegrityAvailability
STRIDESpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
![Page 7: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/7.jpg)
7
Security
ConfidentialityContent of the message is kept secret
IntegrityConfidence that message received is the same that sender sent
AuthenticationConfidence that we know caller identityConfidentiality and Integrity useless without authenticity
![Page 8: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/8.jpg)
8
WCF Out of the box experience
Defaults to secure modeClaim-basedInternet, Intranet and custom security scenariosSecure conversations
TransferMessage integrity and protectionMutual Authentication
(client->service, service-> client)Authorization
![Page 9: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/9.jpg)
9
Host
WCF Service
A B C
Caller Service
Caller Identity
Message (WS*)
Service Identity
A
B
C
Address – Where?Binding – How?Contract – What?
A B C
Transport (TLS, SSL, IPSec)
Trust
PolicyClaims
![Page 10: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/10.jpg)
10
Transport Security
Prevents eavesdropping, tampering, and message forgeryPoint-to-Point communication SSL over HTTPTLS over TCPProvides endpoint authentication and communications privacy using cryptography.IPSEC/L2TP
ABC
Caller Service
ABC
Transport (TLS, SSL, IPSec)
![Page 11: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/11.jpg)
11
Message WS-Security
SOAP Envelope
SOAP Header
SOAP Body
Misc. Headers
Data
Security Token
Timestamp
Signature
Encrypted Key
Encrypted Data
Security Header
![Page 12: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/12.jpg)
12
Message Security
Transport independentUses SOAP / WS-SecurityParts of the message can be signed or encrypted. All of the security information is encapsulated in the messageSecurity credentials and claims with every message. Wide set of credentials and claims supportedWCF requires X509 certificate
ABC
Caller Service
Message (WS*)
ABC
![Page 13: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/13.jpg)
13
Authentication
Caller identificationWindows tokensCertificatesUser Name TokensCustom
Service identification (to caller)Windows tokens, X.509 certificates
![Page 14: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/14.jpg)
Microsoft Confidential
AuthenticationWS-Security
S
X509
KerberosSAML
XrML Custom
E
Contract &Policies
X509Certificate
Private KeyThe service verifies that the user owns/is able to use a key that is
never transmitted
![Page 15: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/15.jpg)
15
Authorization
What is caller allowed to doWCF uses callers claims
Can have manyWindows token, SAML
Windows groups, ASP.NET providers, Custom providerNo good without authentication
![Page 16: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/16.jpg)
18
Scenarios
IntranetDirect access to service (rare) – single machineApplication servers – more common, distributed, maybe port restrictions and firewallsAD, Windows auth
InternetFirewalled, DMZed Restricted ports and routes, custom identity storeMaybe trusted subsystem down the line with AD/Windows authMaybe multiple authentication systems involved
![Page 17: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/17.jpg)
19
Scenarios (cont.)
B2BCrossing multiple network topologies, firewalls, port restrictionsNon Windows security topologies and implementationsMay require acquiring and using different identitiesMaybe multiple authentication systems involvedMost likely service to service
![Page 18: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/18.jpg)
20
![Page 19: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/19.jpg)
21
Service and Client
How does this stuff work?
configuring
![Page 20: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/20.jpg)
22
Security ModesNone. Turns security off.
Not recommended (default for BasicHttpBinding)Transport.
Uses transport security for mutual authentication and message protection.
Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate.
Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
![Page 21: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/21.jpg)
23
Controlling security modes
NameTitleCompany
demo
![Page 22: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/22.jpg)
24
Security Modes (cont.)
TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer.
TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
![Page 23: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/23.jpg)
25
Security ModesName None Transport Message Mixed Both
NetTcpBinding + R + + -
NetNamedPipeBinding + R - - -
NetMsmqBinding + R + - -
BasicHttpBinding R + + + -
WSHttpBinding + + R + -
WSDualHttpBinding + - R - +
R Default
![Page 24: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/24.jpg)
26
WCF Channel StackWCF Runtime
Channel StackProtocol
Protocol
Protocol
Encoding
Transport
Dispatcher
Service Instance
Operation Operation
Bind
ing
![Page 25: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/25.jpg)
27
netTcpBinding
Security.Mode == None
TcpTransportBinding
BinaryMessageEncodingBinding
TransactionFlowBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ing
![Page 26: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/26.jpg)
28
netTcpBinding
Security.Mode == Transport
TcpTransportBinding
WindowsStreamSecurityBinding
BinaryMessageEncodingBinding
TransactionFlowBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ing
![Page 27: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/27.jpg)
29
netTcpBinding
Security.Mode == Message
TcpTransportBinding
BinaryMessageEncodingBinding
SymmetricSecurityBinding
TransactionFlowBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ing
![Page 28: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/28.jpg)
30
netTcpBinding
Security.Mode == TransportWithMessageCredentials
TcpTransportBinding
WCF Runtime
Channel StackProtocolProtocolProtocolEncodingTransport
Dispatcher
Service InstanceOperation Operation
Bind
ingBinaryMessageEncodingBinding
SslStreamSecurityBinding
TransactionFlowBinding
TransportSecurityBinding
![Page 29: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/29.jpg)
31
Controlling credentials at the transport level
demo
![Page 30: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/30.jpg)
32
Transport Security and CredentialsName None Windows User Name Certificate
NetTcpBinding+ R - +
NetNamedPipeBinding- R - -
NetMsmqBinding+ R - +
BasicHttpBinding R + + +
WSHttpBinding+ R + +
WSDualHttpBinding n/a n/a n/a n/a
R Default
![Page 31: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/31.jpg)
33
Controlling Message Security and credentials
NameTitleCompany
demo
![Page 32: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/32.jpg)
34
Message Security and CredentialsName None Windows User Name Certificate Issued
TokenNetTcpBinding
+ R + + +
NetNamedPipeBinding n/a n/a n/a n/a n/a
NetMsmqBinding+ R - + +
BasicHttpBinding - - - + -
WSHttpBinding+ R + + +
WSDualHttpBinding+ R + + +
R Default
![Page 33: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/33.jpg)
35
![Page 34: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/34.jpg)
36
Choices
ChoicesChoicesYou confused by now?
![Page 35: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/35.jpg)
37
Out of the box bindingsIntranet
NetNamedPipeBindingLimited reach – same machine, cross processFastNo SOAP supportDefaults:
Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
![Page 36: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/36.jpg)
38
Out of the box bindings (cont.)Intranet
NetTCPBindingWCF-to-WCF scenariosFast, can add WS* features – performance tradeoffIf you used COM+/DCOM use this bindingLoad balancing – has server affinity, reduce lease timeoutDefaults:
Security Mode: TransportCredentials: WindowsMessage protection : Encrypt and Sign
![Page 37: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/37.jpg)
39
Out of the box bindings (cont.) Intranet
NetMsmqBindingQueued work / workload leveling / Disconnected scenariosDefaults:
Security Mode: TransportCredentials: WindowsMessage protection: Sign
MsmqIntegrationBinding Non WCF clients
![Page 38: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/38.jpg)
40
Out of the box bindings (cont.) Internet
BasicHttpBindingInterop for ASMX, support for WS-I Basic Profile 1.1Does not support WS* stackWorks well with existing HTTP load balancing techniquesOnly binding supported in Silverlight 2.0Defaults:
Security Mode: NoneTransport: NoneCredentials: User NameMessage protection: None
![Page 39: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/39.jpg)
41
Out of the box bindings (cont.) Internet
WsHttpBindingNon Windows/WCF clientsRestricted Ports, firewallsCan use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.Defaults:
Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
![Page 40: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/40.jpg)
42
Out of the box bindings (cont.) Internet
WsFederationHttpBindingshare identities across multiple systemsCustom tokensDefaults:
Security Mode: MessageTransport: HTTPCredentials: WindowsMessage protection: Sign and Encrypt
![Page 41: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/41.jpg)
43
![Page 42: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/42.jpg)
44
Service and Client
Security Extension Points
customization
![Page 43: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/43.jpg)
45
Customization Scenarios
Custom security tokensCustom authentication methodsClaims-based authorizationClaims transformationCustom principals
![Page 44: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/44.jpg)
46
WCF Security Extensible PointsCredentials
Authorization
Service Authorization Manager
External Authorization Policy
Custom Endpoint Identity Verifier
Authentication
Security Token Authenticator Security Token Provider Custom Authorization
Policy
Serialization
Security Token Serializer
Security Key Identifier Clause
Custom Security Token Manager
Custom Service Credentials
Custom Client Credentials
![Page 45: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/45.jpg)
Microsoft Confidential
Custom Authentication
ISecureCalculator
CalculatorService
SAML1.0
http://schemas../givennamehttp://schemas../lastname
http://schemas../self
http://localhost/serv.svc
<services> <service name="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>
<behavior name="ServiceCredentials"> <serviceAuthorization serviceAuthorizationManagerType=“MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
![Page 46: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/46.jpg)
48
Custom Authentication
demo
![Page 47: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/47.jpg)
Microsoft Confidential
Service Config
ISecureCalculator
CalculatorService
SAML1.0
http://schemas../givennamehttp://schemas../lastname
http://schemas../self
http://localhost/serv.svc
<services> <service name="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors>
<binding name="requireInfoCard"> <security mode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <add claimType ="http://schemas../givenname"/> <add claimType =" schemas../lastname "/> </claimTypeRequirements> <issuer address="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding>
<behavior name="ServiceCredentials"> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
![Page 48: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/48.jpg)
Microsoft Confidential
Client Config
SAML1.0
http://scheams../givennamehttp://schemas../lastname
http://madSTS.org/sts
ISecureCalculator
CalculatorService
http://localhost/serv.svc
<client> <endpoint address="http://localhost/serv.svc/" bindingConfiguration="requireInfoCard" binding="wsFederationHttpBinding" contract="ISecureCalculator" behaviorConfiguration="ClientCredentials"> <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <binding name="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behavior name="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors>
<binding name="requireInfoCard"> <security mode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <add claimType ="http://schemas../emailaddress"/> <add claimType ="http://schemas../givenname"/> </claimTypeRequirements> <issuer address="http://schemas../self"/> </message> </security> </binding>
<behavior name="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authentication revocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior>
![Page 49: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/49.jpg)
Microsoft Confidential
Tips & Tricks
VS2008 SP1
![Page 50: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/50.jpg)
Microsoft Confidential
Tips & Tricks (cont.)
![Page 51: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/51.jpg)
53
New Services
NetMsmqActivator (Net.Msmq Listener Adapter)
Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.
NetPipeActivator (Net.Pipe Listener Adapter)Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
![Page 52: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/52.jpg)
54
New Services
NetTcpActivator (Net.Tcp Listener Adapter)Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.
NetTcpPortSharing (Net.Tcp Port Sharing Service)
Provides ability to share TCP ports over the net.tcp protocol.
![Page 53: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/53.jpg)
55
![Page 54: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/54.jpg)
56
Q & A
![Page 55: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/55.jpg)
www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs
http://microsoft.com/msdn
Developer’s Kit, Licenses, and MORE!
Resources for Developers
![Page 56: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/56.jpg)
CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity
IDesign code library - http://www.idesign.net/
MSDN WCF demos and examples - http://wcf.netfx3.com/
(WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt
Track Resources
Bloggers:Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
![Page 57: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/57.jpg)
Complete anevaluation onCommNet andenter to win!
1 Year Subscription!
![Page 58: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/58.jpg)
61
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 59: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/59.jpg)
62
Client Claims
Service Claims
Authority
Authority
Valid?
Valid?
![Page 60: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/60.jpg)
63
Idenity Types
DNS - Use this element with X.509 certificates or Windows accounts.
Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.
![Page 61: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/61.jpg)
64
Certificate ReferenceRSAUser Principal NameService Principal Name
![Page 62: Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)](https://reader033.vdocuments.mx/reader033/viewer/2022042713/5477f9eab4af9f04368b46fa/html5/thumbnails/62.jpg)
65
Topology
INTRANETIIS
RouterS1
S2
DMZ
Partners
STS
WinClient
WinClient
Browser
Browser
IIS