WCF service secured with WIF token needs public method

1
votes

I have a WCF service hosted on a single endpoint with <ws2007FederationHttpBinding>. The service is secured using WIF tokens.

The service has one method void IsOnline() to determine the availability of the service. This method must be callable without a token and I cannot split the interfaces nor can I add another unsecured endpoint. (=configuration services limitations)

So, can I modify my binding to basically state "using WIF tokens is optional"? Or in other words: The service should use the claims and identity from the caller or use some kind of anonymous token if there was no token provided.

My current binding:

  <microsoft.identityModel>
    <service saveBootstrapTokens="true">
      <audienceUris>
        <add value="https://.../MyServiceCaller" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://.../MyFederationProviderHere" realm="https://.../MyServiceCaller" requireHttps="true" />
        <cookieHandler requireSsl="true" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
        </claimTypeRequired>
      </applicationService>
      <serviceCertificate>
        <certificateReference x509FindType="FindByThumbprint" findValue="123123" />
      </serviceCertificate>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="123123" name="My.Auth.FederationProvider" />
          <add thumbprint="456456" name="My.Auth.FederationProvider" />
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>
    ...
  <ws2007FederationHttpBinding>
    <binding name="Host_Ws2007FederationHttp_WithToken">
      <security>
        <message establishSecurityContext="false" issuedKeyType="BearerKey"
            issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
            negotiateServiceCredential="false">
          <tokenRequestParameters>
            <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
            </trust:SecondaryParameters>
          </tokenRequestParameters>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
1
wcfwcf-bindingtokenwif
could you please share the service config - Anil Purswani
actually I cant. The service is created dynamically by the configuration services (released inside of the stocktraider sample). - fabsenet

1 Answers

1
votes

No - In WCF authentication requirements are per endpoint. You need a separate endpoint for your IsOnline operation. You then use a binding on this endpoint that allows anonymous connections.