ClaimsPrincipal is null when it reaches WCF Service

3
votes

I am currently implementing a Federated Authentication solution using: A passive STS for issuing tokens, a Website hosting a Silverlight application and WCF services for the Silverlight App.

So far I am able:

  • Get redirected to the STS
  • Login and get redirected to the Website
  • Display the claims on the website by accessing HttpContext.Current.User.Identity as IClaimsIdentity;

on the web.config of the Website, I have added the two WIF modules needed (under IIS 7)

<modules runAllManagedModulesForAllRequests="true">

        <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>
        <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler"/>

    </modules>

I have also configured the Microsoft.IdentityModel section of the web.config to use my own implementation of ClaimsAuthenticationManager and ClaimsAthorizationManager.

<service name="Rem.Ria.PatientModule.Web.WebService.PatientService">
        <claimsAuthenticationManager type ="Rem.Infrastructure.WIF.RemClaimsAuthenticationManager"/>
        <claimsAuthorizationManager type ="Rem.Infrastructure.WIF.RemClaimsAuthorizationManager"/>
      </service>

My ClaimsAuthenticationMAnager is simply setting the Thread.CurrentPrincipal is a valid Principal is provided.

class RemClaimsAuthenticationManager : ClaimsAuthenticationManager
    {
        public override IClaimsPrincipal Authenticate ( string resourceName, IClaimsPrincipal incomingPrincipal )
        {

            if ( incomingPrincipal.Identity.IsAuthenticated )
            {
                Thread.CurrentPrincipal = incomingPrincipal;
            }
            return incomingPrincipal;
        }
    }
}

The problem is that when my ClaimsAuthorizationManager is called, the context.Principal.Identity does not contain a valid Identity with Claims, and neither does the Thread.CurrentPrincipal.

Any ideas?

2
wcfwif

2 Answers

5
votes

You don't need to set the Thread.CurrentPrincipal because the session module will do this for you. You will need to access it through the HttpContext.Current.User because the Thread.Principal is usually set on a different thread than the one accessing your service because it is two different modules in IIS. We have an example of this in our upcoming book that you can check out at our Codeplex Site.

HTH

1
votes

The following sample code shows a sample class which inherits ClaimsAuthenticationManager. It just receives the incoming IClaimsPrincipal and passes through the claims, except the Name claim, which is modified. This does not set the CurrentPrincipal on the current thread, as in your example.

My test implementation is as follows: 

public class CustomClaimsAuthenticationManager : ClaimsAuthenticationManager
{
public CustomClaimsAuthenticationManager()
{

}

public override IClaimsPrincipal Authenticate(string resourceName, 
IClaimsPrincipal   incomingPrincipal)
{
    var outgoingIdentity = GetClaimsAsPassthrough(incomingPrincipal);
    return outgoingIdentity; 
}

private IClaimsPrincipal GetClaimsAsPassthrough(IClaimsPrincipal incomingPrincipal)
{
    if (!incomingPrincipal.Identity.IsAuthenticated)
    {
        return incomingPrincipal; 
    }

    var ingoingClaims = incomingPrincipal.Identity as IClaimsIdentity; 

    ClaimsIdentity outgoingIdentity = new ClaimsIdentity(new List<Claim>
    {
        new Claim(ClaimTypes.Name, (incomingPrincipal.Identity.Name + " 
        a very cool guy"))
    }, incomingPrincipal.Identity.AuthenticationType);

    foreach (var claim in ingoingClaims.Claims.Where(
    c => c.ClaimType != ClaimTypes.Name))
    {
        outgoingIdentity.Claims.Add(claim.Copy()); 
    }

    return new ClaimsPrincipal(new List<ClaimsIdentity> { outgoingIdentity }); 
 }

}