SlideShare a Scribd company logo

Secure Web Services Using WCF

P
petarvucetin

• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.

Technology
1 of 62
Building Secure Web Services Using Windows Communication Foundation Petar Vucetin Senior Software Engineer Vertigo Session Code: SOA312
Agenda Learn how to use standard WCF security mechanisms correctly Understand appropriate scenarios for the various WCF security options Understand how to extend WCF security for custom applications
Threat Modeling CIA Confidentiality Integrity Availability STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege
Security Confidentiality Content of the message is kept secret Integrity Confidence that message received is the same that sender sent Authentication Confidence that we know caller identity Confidentiality and Integrity useless without authenticity
WCF Out of the box experience Defaults to secure mode Claim-based Internet, Intranet and custom security scenarios Secure conversations Transfer Message integrity and protection Mutual Authentication (client->service, service-> client) Authorization
Service Identity Caller Identity Message (WS*) Host WCF Service A B C A B C Claims Policy Transport (TLS, SSL, IPSec) Caller Service Trust Address – Where? A Binding – How? B Contract – What? C
Transport Security Prevents eavesdropping, tampering, and message forgery Point-to-Point communication SSL over HTTP TLS over TCP Provides endpoint authentication and communications privacy using cryptography. IPSEC/L2TP Transport (TLS, SSL, IPSec) A B C A B C Caller Service
Message WS-Security SOAP Envelope Security Token SOAP Header Timestamp Misc. Headers Signature Security Header Encrypted Key Encrypted Data SOAP Body Data
Message Security Message (WS*) Caller Service Transport independent Uses SOAP / WS-Security Parts of the message can be signed or encrypted. All of the security information is encapsulated in the message Security credentials and claims with every message. Wide set of credentials and claims supported WCF requires X509 certificate A B C A B C
Authentication Caller identification Windows tokens Certificates User Name Tokens Custom Service identification (to caller) Windows tokens, X.509 certificates
AuthenticationWS-Security E S Contract & Policies X509 Certificate Kerberos XrML Custom The service verifies that the user owns/is able to use a key that is never transmitted Private Key X509 SAML
Authorization What is caller allowed to do WCF uses callers claims Can have many Windows token, SAML Windows groups, ASP.NET providers, Custom provider No good without authentication
Claims Claim is a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject. Defined by a triplet: type, right, resource Claim issuer can vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
Partners STS Browser WinClient DMZ IIS INTRANET Browser IIS WinClient Router
Scenarios Intranet Direct access to service (rare) – single machine Application servers – more common, distributed, maybe port restrictions and firewalls AD, Windows auth Internet Firewalled, DMZed Restricted ports and routes, custom identity store Maybe trusted subsystem down the line with AD/Windows auth Maybe multiple authentication systems involved
Scenarios (cont.) B2B Crossing multiple network topologies, firewalls, port restrictions Non Windows security topologies and implementations May require acquiring and using different identities Maybe multiple authentication systems involved Most likely service to service
Service and Client How does this stuff work? configuring
Security Modes None. Turns security off. Not recommended (default for BasicHttpBinding) Transport. Uses transport security for mutual authentication and message protection. Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate. Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
Controlling security modes Name Title Company demo
Security Modes (cont.) TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
R Default
WCF Channel Stack Service Instance WCF Runtime Operation Operation Dispatcher Channel Stack Protocol Protocol Binding Protocol Encoding Transport
Security.Mode == None Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol Protocol Binding Protocol BinaryMessageEncodingBinding Encoding TcpTransportBinding Transport
Security.Mode == Transport Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol Protocol Binding BinaryMessageEncodingBinding Protocol WindowsStreamSecurityBinding Encoding TcpTransportBinding Transport
Security.Mode == Message Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol Protocol Binding SymmetricSecurityBinding Protocol BinaryMessageEncodingBinding Encoding TcpTransportBinding Transport
Security.Mode == TransportWithMessageCredentials Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol TransportSecurityBinding Protocol Binding BinaryMessageEncodingBinding Protocol SslStreamSecurityBinding Encoding TcpTransportBinding Transport
Controlling credentials at the transport level demo
R Default
Controlling Message Security and credentials Name Title Company demo
R Default
Choices Choices Choices You confused by now?
Out of the box bindingsIntranet NetNamedPipeBinding Limited reach – same machine, cross process Fast No SOAP support Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
Out of the box bindings (cont.)Intranet NetTCPBinding WCF-to-WCF scenarios Fast, can add WS* features – performance tradeoff If you used COM+/DCOM use this binding Load balancing – has server affinity, reduce lease timeout Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
Out of the box bindings (cont.) Intranet NetMsmqBinding Queued work / workload leveling / Disconnected scenarios Defaults: Security Mode: Transport Credentials: Windows Message protection: Sign MsmqIntegrationBinding Non WCF clients
Out of the box bindings (cont.) Internet BasicHttpBinding Interop for ASMX, support for WS-I Basic Profile 1.1 Does not support WS* stack Works well with existing HTTP load balancing techniques Only binding supported in Silverlight 2.0 Defaults: Security Mode: None Transport: None Credentials: User Name Message protection: None
Out of the box bindings (cont.) Internet WsHttpBinding Non Windows/WCF clients Restricted Ports, firewalls Can use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off. Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
Out of the box bindings (cont.) Internet WsFederationHttpBinding share identities across multiple systems Custom tokens Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
Service and Client Security Extension Points customization
Customization Scenarios Custom security tokens Custom authentication methods Claims-based authorization Claims transformation Custom principals
WCF Security Extensible Points Credentials Custom Security Token Manager Custom Service Credentials Custom Client Credentials Authorization Service Authorization Manager External Authorization Policy Custom Endpoint Identity Verifier Authentication Security Token Authenticator Security Token Provider Custom Authorization Policy Serialization Security Token Serializer Security Key Identifier Clause
Custom Authentication <services> <servicename="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpointaddress="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors> ISecureCalculator SAML1.0 CalculatorService http://schemas../givenname http://schemas../lastname <behaviorname="ServiceCredentials"> <serviceAuthorizationserviceAuthorizationManagerType= “MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior> http://schemas../self http://localhost/serv.svc
Custom Authentication demo
Service Config <services> <servicename="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpointaddress="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors> ISecureCalculator SAML1.0 <bindingname="requireInfoCard"> <securitymode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../givenname"/> <addclaimType =" schemas../lastname "/> </claimTypeRequirements> <issueraddress="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding> CalculatorService http://schemas../givenname http://schemas../lastname http://localhost/serv.svc http://schemas../self <behaviorname="ServiceCredentials"> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
Client Config <client> <endpointaddress="http://localhost/serv.svc/" bindingConfiguration="requireInfoCard" binding="wsFederationHttpBinding" contract="ISecureCalculator" behaviorConfiguration="ClientCredentials"> <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behaviorname="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors> ISecureCalculator CalculatorService SAML1.0 http://localhost/serv.svc http://scheams../givenname <behaviorname="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authenticationrevocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior> http://schemas../lastname <bindingname="requireInfoCard"> <securitymode="Message"> <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../emailaddress"/> <addclaimType ="http://schemas../givenname"/> </claimTypeRequirements> <issueraddress="http://schemas../self"/> </message> </security> </binding> http://madSTS.org/sts
Tips & Tricks VS2008 SP1
Tips & Tricks (cont.)
New Services NetMsmqActivator (Net.Msmq Listener Adapter) Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service. NetPipeActivator (Net.Pipe Listener Adapter) Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
New Services NetTcpActivator (Net.Tcp Listener Adapter) Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service. NetTcpPortSharing (Net.Tcp Port Sharing Service) Provides ability to share TCP ports over the net.tcp protocol.
Q & A
Notes In addition to the Walk-in and Title slides, the following slides are required Please add your content and include these in your final presentation NEXT: <next slide title>
CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity IDesign code library - http://www.idesign.net/ MSDN WCF demos and examples - http://wcf.netfx3.com/ (WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt Track Resources Bloggers: Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Valid? Client Claims Authority Service Claims Valid? Authority

Recommended

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
SSl/TLS Analysis
SSl/TLS AnalysisSSl/TLS Analysis
SSl/TLS AnalysisDuduman Bogdan Vlad
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for DummiesWorteks
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 

Recommended

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
SSl/TLS Analysis
SSl/TLS AnalysisSSl/TLS Analysis
SSl/TLS AnalysisDuduman Bogdan Vlad
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for DummiesWorteks
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Storyukdpe
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLSkeithrozario
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSpavansmiles
 
139说客客户端设计
139说客客户端设计139说客客户端设计
139说客客户端设计argoy
 
De Vleugels Van Mijn Vlucht
De Vleugels Van Mijn VluchtDe Vleugels Van Mijn Vlucht
De Vleugels Van Mijn VluchtCarmen María Pérez
 
MARCIANO Portfolio.compressed
MARCIANO Portfolio.compressedMARCIANO Portfolio.compressed
MARCIANO Portfolio.compressedJamie Schuppert
 
Sec 1 Na Rain Gauge
Sec 1 Na Rain GaugeSec 1 Na Rain Gauge
Sec 1 Na Rain Gaugechua.geog
 
Perfect day by Carole Elliott Artist
Perfect day by Carole Elliott ArtistPerfect day by Carole Elliott Artist
Perfect day by Carole Elliott ArtistCarole Elliott
 
Анкета для учащихся
Анкета для учащихсяАнкета для учащихся
Анкета для учащихсяЛюбовь Иванова
 
komunikasi interpersonalskill
komunikasi interpersonalskillkomunikasi interpersonalskill
komunikasi interpersonalskillSayur Lodeh
 
Jazz guitar chord bible
Jazz guitar chord bible Jazz guitar chord bible
Jazz guitar chord bibleWilly Zt
 
Achievement Motivation Training
Achievement Motivation Training Achievement Motivation Training
Achievement Motivation Training Kanaidi ken
 
977биомеханика кошки
977биомеханика кошки977биомеханика кошки
977биомеханика кошкиKirrrr123
 
07 advanced topics
07 advanced topics07 advanced topics
07 advanced topicsBat Programmer
 
Day6
Day6Day6
Day6madamewoolf
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7koolkampus
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSylvain Maret
 

More Related Content

What's hot

SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Storyukdpe
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLSkeithrozario
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 

What's hot (6)

SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Story
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
 
Front end-security
Front end-securityFront end-security
Front end-security
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 

Viewers also liked

139说客客户端设计
139说客客户端设计139说客客户端设计
139说客客户端设计argoy
 
MARCIANO Portfolio.compressed
MARCIANO Portfolio.compressedMARCIANO Portfolio.compressed
MARCIANO Portfolio.compressedJamie Schuppert
 
Sec 1 Na Rain Gauge
Sec 1 Na Rain GaugeSec 1 Na Rain Gauge
Sec 1 Na Rain Gaugechua.geog
 
Perfect day by Carole Elliott Artist
Perfect day by Carole Elliott ArtistPerfect day by Carole Elliott Artist
Perfect day by Carole Elliott ArtistCarole Elliott
 
komunikasi interpersonalskill
komunikasi interpersonalskillkomunikasi interpersonalskill
komunikasi interpersonalskillSayur Lodeh
 
Jazz guitar chord bible
Jazz guitar chord bible Jazz guitar chord bible
Jazz guitar chord bibleWilly Zt
 
Achievement Motivation Training
Achievement Motivation Training Achievement Motivation Training
Achievement Motivation Training Kanaidi ken
 
977биомеханика кошки
977биомеханика кошки977биомеханика кошки
977биомеханика кошкиKirrrr123
 

Viewers also liked (10)

139说客客户端设计
139说客客户端设计139说客客户端设计
139说客客户端设计
 
De Vleugels Van Mijn Vlucht
De Vleugels Van Mijn VluchtDe Vleugels Van Mijn Vlucht
De Vleugels Van Mijn Vlucht
 
MARCIANO Portfolio.compressed
MARCIANO Portfolio.compressedMARCIANO Portfolio.compressed
MARCIANO Portfolio.compressed
 
Sec 1 Na Rain Gauge
Sec 1 Na Rain GaugeSec 1 Na Rain Gauge
Sec 1 Na Rain Gauge
 
Perfect day by Carole Elliott Artist
Perfect day by Carole Elliott ArtistPerfect day by Carole Elliott Artist
Perfect day by Carole Elliott Artist
 
Анкета для учащихся
Анкета для учащихсяАнкета для учащихся
Анкета для учащихся
 
komunikasi interpersonalskill
komunikasi interpersonalskillkomunikasi interpersonalskill
komunikasi interpersonalskill
 
Jazz guitar chord bible
Jazz guitar chord bible Jazz guitar chord bible
Jazz guitar chord bible
 
Achievement Motivation Training
Achievement Motivation Training Achievement Motivation Training
Achievement Motivation Training
 
977биомеханика кошки
977биомеханика кошки977биомеханика кошки
977биомеханика кошки
 

Similar to Secure Web Services Using WCF

Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7koolkampus
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSylvain Maret
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch PresentationRam Dutt Shukla
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere générationSylvain Maret
 
Web Services Container
Web Services ContainerWeb Services Container
Web Services ContainerJorgen Thelin
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Windows Communication Foundation
Windows Communication FoundationWindows Communication Foundation
Windows Communication FoundationDavid Truxall
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Jorgen Thelin
 

Similar to Secure Web Services Using WCF (20)

07 advanced topics
07 advanced topics07 advanced topics
07 advanced topics
 
Day6
Day6Day6
Day6
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
 
Ch17
Ch17Ch17
Ch17
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
 
Web Services Container
Web Services ContainerWeb Services Container
Web Services Container
 
Websecurity
Websecurity Websecurity
Websecurity
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
SSL
SSLSSL
SSL
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Windows Communication Foundation
Windows Communication FoundationWindows Communication Foundation
Windows Communication Foundation
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Secure Web Services Using WCF

  • 1.
  • 2. Building Secure Web Services Using Windows Communication Foundation Petar Vucetin Senior Software Engineer Vertigo Session Code: SOA312
  • 3. Agenda Learn how to use standard WCF security mechanisms correctly Understand appropriate scenarios for the various WCF security options Understand how to extend WCF security for custom applications
  • 4.
  • 5.
  • 6. Threat Modeling CIA Confidentiality Integrity Availability STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege
  • 7. Security Confidentiality Content of the message is kept secret Integrity Confidence that message received is the same that sender sent Authentication Confidence that we know caller identity Confidentiality and Integrity useless without authenticity
  • 8. WCF Out of the box experience Defaults to secure mode Claim-based Internet, Intranet and custom security scenarios Secure conversations Transfer Message integrity and protection Mutual Authentication (client->service, service-> client) Authorization
  • 9. Service Identity Caller Identity Message (WS*) Host WCF Service A B C A B C Claims Policy Transport (TLS, SSL, IPSec) Caller Service Trust Address – Where? A Binding – How? B Contract – What? C
  • 10. Transport Security Prevents eavesdropping, tampering, and message forgery Point-to-Point communication SSL over HTTP TLS over TCP Provides endpoint authentication and communications privacy using cryptography. IPSEC/L2TP Transport (TLS, SSL, IPSec) A B C A B C Caller Service
  • 11. Message WS-Security SOAP Envelope Security Token SOAP Header Timestamp Misc. Headers Signature Security Header Encrypted Key Encrypted Data SOAP Body Data
  • 12. Message Security Message (WS*) Caller Service Transport independent Uses SOAP / WS-Security Parts of the message can be signed or encrypted. All of the security information is encapsulated in the message Security credentials and claims with every message. Wide set of credentials and claims supported WCF requires X509 certificate A B C A B C
  • 13. Authentication Caller identification Windows tokens Certificates User Name Tokens Custom Service identification (to caller) Windows tokens, X.509 certificates
  • 14. AuthenticationWS-Security E S Contract & Policies X509 Certificate Kerberos XrML Custom The service verifies that the user owns/is able to use a key that is never transmitted Private Key X509 SAML
  • 15. Authorization What is caller allowed to do WCF uses callers claims Can have many Windows token, SAML Windows groups, ASP.NET providers, Custom provider No good without authentication
  • 16. Claims Claim is a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject. Defined by a triplet: type, right, resource Claim issuer can vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
  • 17. Partners STS Browser WinClient DMZ IIS INTRANET Browser IIS WinClient Router
  • 18. Scenarios Intranet Direct access to service (rare) – single machine Application servers – more common, distributed, maybe port restrictions and firewalls AD, Windows auth Internet Firewalled, DMZed Restricted ports and routes, custom identity store Maybe trusted subsystem down the line with AD/Windows auth Maybe multiple authentication systems involved
  • 19. Scenarios (cont.) B2B Crossing multiple network topologies, firewalls, port restrictions Non Windows security topologies and implementations May require acquiring and using different identities Maybe multiple authentication systems involved Most likely service to service
  • 20.
  • 21. Service and Client How does this stuff work? configuring
  • 22. Security Modes None. Turns security off. Not recommended (default for BasicHttpBinding) Transport. Uses transport security for mutual authentication and message protection. Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate. Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
  • 23. Controlling security modes Name Title Company demo
  • 24. Security Modes (cont.) TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
  • 26. WCF Channel Stack Service Instance WCF Runtime Operation Operation Dispatcher Channel Stack Protocol Protocol Binding Protocol Encoding Transport
  • 27. Security.Mode == None Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol Protocol Binding Protocol BinaryMessageEncodingBinding Encoding TcpTransportBinding Transport
  • 28. Security.Mode == Transport Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol Protocol Binding BinaryMessageEncodingBinding Protocol WindowsStreamSecurityBinding Encoding TcpTransportBinding Transport
  • 29. Security.Mode == Message Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol Protocol Binding SymmetricSecurityBinding Protocol BinaryMessageEncodingBinding Encoding TcpTransportBinding Transport
  • 30. Security.Mode == TransportWithMessageCredentials Service Instance WCF Runtime Operation Operation netTcpBinding Dispatcher Channel Stack TransactionFlowBinding Protocol TransportSecurityBinding Protocol Binding BinaryMessageEncodingBinding Protocol SslStreamSecurityBinding Encoding TcpTransportBinding Transport
  • 31. Controlling credentials at the transport level demo
  • 33. Controlling Message Security and credentials Name Title Company demo
  • 35.
  • 36. Choices Choices Choices You confused by now?
  • 37. Out of the box bindingsIntranet NetNamedPipeBinding Limited reach – same machine, cross process Fast No SOAP support Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
  • 38. Out of the box bindings (cont.)Intranet NetTCPBinding WCF-to-WCF scenarios Fast, can add WS* features – performance tradeoff If you used COM+/DCOM use this binding Load balancing – has server affinity, reduce lease timeout Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
  • 39. Out of the box bindings (cont.) Intranet NetMsmqBinding Queued work / workload leveling / Disconnected scenarios Defaults: Security Mode: Transport Credentials: Windows Message protection: Sign MsmqIntegrationBinding Non WCF clients
  • 40. Out of the box bindings (cont.) Internet BasicHttpBinding Interop for ASMX, support for WS-I Basic Profile 1.1 Does not support WS* stack Works well with existing HTTP load balancing techniques Only binding supported in Silverlight 2.0 Defaults: Security Mode: None Transport: None Credentials: User Name Message protection: None
  • 41. Out of the box bindings (cont.) Internet WsHttpBinding Non Windows/WCF clients Restricted Ports, firewalls Can use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off. Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
  • 42. Out of the box bindings (cont.) Internet WsFederationHttpBinding share identities across multiple systems Custom tokens Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
  • 43.
  • 44. Service and Client Security Extension Points customization
  • 45. Customization Scenarios Custom security tokens Custom authentication methods Claims-based authorization Claims transformation Custom principals
  • 46. WCF Security Extensible Points Credentials Custom Security Token Manager Custom Service Credentials Custom Client Credentials Authorization Service Authorization Manager External Authorization Policy Custom Endpoint Identity Verifier Authentication Security Token Authenticator Security Token Provider Custom Authorization Policy Serialization Security Token Serializer Security Key Identifier Clause
  • 47. Custom Authentication <services> <servicename="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpointaddress="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors> ISecureCalculator SAML1.0 CalculatorService http://schemas../givenname http://schemas../lastname <behaviorname="ServiceCredentials"> <serviceAuthorizationserviceAuthorizationManagerType= “MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers" /> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior> http://schemas../self http://localhost/serv.svc
  • 49. Service Config <services> <servicename="CalculatorService" behaviorConfiguration="ServiceCredentials"> <endpointaddress="" binding="wsFederationHttpBinding" bindingConfiguration="requireInfoCard" contract="ISecureCalculator" > <identity> <certificateReferencefindValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> </identity> </endpoint> </service> </services> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard"> ...</binding> </wsFederationHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behaviorname="ServiceCredentials">...</behavior> </serviceBehaviors> </behaviors> ISecureCalculator SAML1.0 <bindingname="requireInfoCard"> <securitymode="Message"> <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../givenname"/> <addclaimType =" schemas../lastname "/> </claimTypeRequirements> <issueraddress="http://schemas.../self"/> </message> </security> </binding> </wsFederationHttpBinding> CalculatorService http://schemas../givenname http://schemas../lastname http://localhost/serv.svc http://schemas../self <behaviorname="ServiceCredentials"> <serviceCredentials> <serviceCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <issuedTokenAuthentication allowUntrustedRsaIssuers="true" /> </serviceCredentials> </behavior>
  • 50. Client Config <client> <endpointaddress="http://localhost/serv.svc/" bindingConfiguration="requireInfoCard" binding="wsFederationHttpBinding" contract="ISecureCalculator" behaviorConfiguration="ClientCredentials"> <identity> <certificateReference findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> </identity> </endpoint> </client> <bindings> <wsFederationHttpBinding> <bindingname="requireInfoCard">…</binding> </wsFederationHttpBinding> </bindings> <behaviors> <endpointBehaviors> <behaviorname="ClientCredentials" >…</behavior> </endpointBehaviors> </behaviors> ISecureCalculator CalculatorService SAML1.0 http://localhost/serv.svc http://scheams../givenname <behaviorname="ClientCredentials" > <clientCredentials> <serviceCertificate> <defaultCertificate findValue="fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" /> <authenticationrevocationMode="NoCheck“ certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior> http://schemas../lastname <bindingname="requireInfoCard"> <securitymode="Message"> <messageissuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <claimTypeRequirements> <addclaimType ="http://schemas../emailaddress"/> <addclaimType ="http://schemas../givenname"/> </claimTypeRequirements> <issueraddress="http://schemas../self"/> </message> </security> </binding> http://madSTS.org/sts
  • 51. Tips & Tricks VS2008 SP1
  • 52. Tips & Tricks (cont.)
  • 53. New Services NetMsmqActivator (Net.Msmq Listener Adapter) Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service. NetPipeActivator (Net.Pipe Listener Adapter) Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
  • 54. New Services NetTcpActivator (Net.Tcp Listener Adapter) Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service. NetTcpPortSharing (Net.Tcp Port Sharing Service) Provides ability to share TCP ports over the net.tcp protocol.
  • 55.
  • 56. Q & A
  • 57. Notes In addition to the Walk-in and Title slides, the following slides are required Please add your content and include these in your final presentation NEXT: <next slide title>
  • 58.
  • 59. CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity IDesign code library - http://www.idesign.net/ MSDN WCF demos and examples - http://wcf.netfx3.com/ (WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt Track Resources Bloggers: Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
  • 60.
  • 61. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • 62. Valid? Client Claims Authority Service Claims Valid? Authority
  • 63. Idenity Types DNS - Use this element with X.509 certificates or Windows accounts. Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.
  • 64. Certificate Reference RSA User Principal Name Service Principal Name
  • 65. Topology Partners STS Browser WinClient DMZ IIS INTRANET Browser IIS S2 WinClient Router S1