Zulfiqar's weblog

Architecture, security & random .Net

Federation over TCP streaming

Posted by zamd on July 4, 2008


Pablo described here a way to configure federation over TCP. In his approach he gets a SAML token from STS and then uses that token to get a security context token which will be used to provide actual message security throughout the session.

As message security only works in a buffered mode, so his approach is not suitable for a TCP streaming scenario. To enable federation along with TCP streaming you have to use mixed mode security (TransportWithMessageCredential) over TCP.  Let’s consider following binding which uses mixed mode security.

      <netTcpBinding>

        <binding name="tcp" transferMode="Streamed">

          <security mode="TransportWithMessageCredential">

            <message clientCredentialType="IssuedToken"/>

            <transport clientCredentialType="Windows"></transport>

          </security>

        </binding>

      </netTcpBinding>

Now the trouble is that there is no way to configure STS settings in this binding configuration so your only choice is to mimic the above settings in a custom binding.

      <wsHttpBinding>

        <binding name="simpTransport">

          <security mode="Transport">

            <transport clientCredentialType="None"/>

          </security>

        </binding>

      </wsHttpBinding>

 

      <customBinding>

        <binding name="tcp">

          <security authenticationMode="SecureConversation">

            <secureConversationBootstrap authenticationMode="IssuedTokenOverTransport">

              <issuedTokenParameters>

                <issuer address="https://localhost:9000/STS" binding="wsHttpBinding" bindingConfiguration="simpTransport"/>

              </issuedTokenParameters>

            </secureConversationBootstrap>

          </security>

          <windowsStreamSecurity/>

          <tcpTransport transferMode="Streamed" />

        </binding>

      </customBinding>

Advertisements

One Response to “Federation over TCP streaming”

  1. Heydar Semyari said

    Thanks for the example, even though the post is for about 5 years ago there are still a few ones like this and Pablo’s around.
    I have tried to use this approach and faced a problem. I expected that in my service implementation (ServiceBehavior) to have identity of type ClaimsIdentity (so I can obtain user’s claims) but unfortunately this is WindowsIdentity with no claim. Is there something I missed or my expectation is wrong?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: