Wcf: Support WS2007FederationHttpBinding

Created on 4 Jan 2020  路  9Comments  路  Source: dotnet/wcf

As per @mconnew's request in https://github.com/dotnet/wcf/issues/8#issuecomment-570717036 this issue is used to track WS2007FederationHttpBinding support.

@CumpsD, we're in the process of adding support for WS-Federation. We're waiting on another team to provide an implementation of a WS-Trust client which can get the federation token to then communicate with the server. That's then used by WSHttpBinding to communicate with the server.

I took a look at WS2007FederationHttpBinding to see how it's different than WSFederationHttpBinding and the difference is that it uses WS2007HttpBinding which we don't have as a specific binding. I checked the protocols used by WS2007HttpBinding and it looks like we probably have most if not all the implementation required to implement it.

Can you open an issue specifically for WS2007FederationHttpBinding?

WSFederation priority 1
Source
picture CumpsD
🎉3

Most helpful comment

So a little bit of an update. It turns out that we need to implement WS2007HttpBinding for the goal of targeting support for ADFS (it requires BearerKey token type which WSFederationHttpBinding doesn't support, you need WS2007FederationHttpBinding). So support for the functionality of this binding will be available at the same time as WSFederationHttpBinding. The actual binding type itself will be different, but it should support the same functionality as the NetFx one. We aren't aiming to support every protocol variant that can be used, we're targeting the main common scenarios which should work for 99% of people. We are going to produce a single new binding which supports the features of WS2007FederationHttpBinding as well as WSFederationHttpBinding.

picture mconnew on 27 Feb 2020
🎉1 👍1

All 9 comments

Update - Work is progressing with the WSFederationHttpBinding, can't commit to a date but it's not too far away and then we can look into what is needed for the WS2007 version of it.

StephenBonikowsky picture StephenBonikowsky on 23 Jan 2020
👍1

So a little bit of an update. It turns out that we need to implement WS2007HttpBinding for the goal of targeting support for ADFS (it requires BearerKey token type which WSFederationHttpBinding doesn't support, you need WS2007FederationHttpBinding). So support for the functionality of this binding will be available at the same time as WSFederationHttpBinding. The actual binding type itself will be different, but it should support the same functionality as the NetFx one. We aren't aiming to support every protocol variant that can be used, we're targeting the main common scenarios which should work for 99% of people. We are going to produce a single new binding which supports the features of WS2007FederationHttpBinding as well as WSFederationHttpBinding.

mconnew picture mconnew on 27 Feb 2020
🎉1 👍1

I'd be happy to help test out the new binding once it becomes available!

crodeheaver picture crodeheaver on 28 Feb 2020

Any progress resolving this issue?

coder-5943123 picture coder-5943123 on 14 Apr 2020

There was some unexpected work needed in underlying dependencies, specifically IdentityModel APIs. We have been working with that team to get the issue resolved, they are actively working on it. This is a priority for us to get done and it is progressing.

StephenBonikowsky picture StephenBonikowsky on 14 Apr 2020
👍1

Is there any progress or workaround? This is the main issue holding my team back from fully switching to dotnet core because we are dependent on a third party wcf interface.

m-straub picture m-straub on 16 Jul 2020

We are working on some build issues, but once they are resolved we should be releasing a preview package with this functionality very soon.

mconnew picture mconnew on 16 Jul 2020

@m-straub, you can get the preview packages at this nuget feed:
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet5/nuget/v3/index.json

Although this is a feed for dotnet5, the WCF packages continue to only depend on netstandard2.0 which means our latest packages work on all currently supported versions of .NET Core. We have a new package System.ServiceModel.Federation which has a new binding WsFederationHttpBinding (casing is wrong, this will likely change to WSFed... in a future build).

Here's some sample code for the equivalent of WS2007FederationHttpBinding:
```c#
var issuerBinding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
issuerBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
issuerBinding.Security.Message.EstablishSecurityContext = false;

// Next, create the WsFederationHttpBinding
var binding = new WsFederationHttpBinding(new WsTrustTokenParameters
{
// Specify the issuer binding created previously and the issuer鈥檚 address
IssuerBinding = issuerBinding,
IssuerAddress = new EndpointAddress("https:///adfs/services/trust/13/usernamemixed"),

// Be sure to choose the correct MessageSecurityVersion depending on whether the binding is for a
// Ws2007FederationHttpBinding scenario or a WsFederationHttpBinding scenario.
MessageSecurityVersion = WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10,

});
```
If you have problems with this, please provide your existing binding. We're still shaking the bugs out of this and we haven't implemented every feature. We've implemented the most common scenarios and anything beyond that we'll evaluate based on size of work and level of demand.

mconnew picture mconnew on 11 Aug 2020
👍1

Can confirm its functional on .netcore3.1, would be nice to have some XML to code binding configuration converter.
Here his my conversion between the WCF .configuration and the code base config.

ws2007HttpBinding

<ws2007HttpBinding>
    <binding name="issuerBinding">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" establishSecurityContext="false" />
      </security>
    </binding>
</ws2007HttpBinding>

```cs
var issuerBinding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
issuerBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
issuerBinding.Security.Message.EstablishSecurityContext = false;

**ws2007FederationHttpBinding**
```xml
<ws2007FederationHttpBinding>
    <binding name="binding" maxReceivedMessageSize="2147483647" closeTimeout="00:05:00" openTimeout="00:05:00" receiveTimeout="00:05:00" sendTimeout="00:05:00">
      <security mode="TransportWithMessageCredential">
        <message establishSecurityContext="true" issuedKeyType="BearerKey">
          <issuer address="https://XXX/adfs/services/trust/13/UsernameMixed" binding="ws2007HttpBinding" bindingConfiguration="adfsBinding" />
        </message>
      </security>
    </binding>
</ws2007FederationHttpBinding>

var binding = new WsFederationHttpBinding(new WsTrustTokenParameters
{
    KeyType = System.IdentityModel.Tokens.SecurityKeyType.BearerKey,
    EstablishSecurityContext = true,


    // Specify the issuer binding created previously and the issuer鈥檚 address
    IssuerBinding = issuerBinding,
    IssuerAddress = new EndpointAddress("https://XXX/adfs/services/trust/13/UsernameMixed"),

    // Be sure to choose the correct MessageSecurityVersion depending on whether the binding is for a
    // Ws2007FederationHttpBinding scenario or a WsFederationHttpBinding scenario.
    MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10,
});
binding.MaxReceivedMessageSize = int.MaxValue;// 2147483647;
binding.CloseTimeout = new TimeSpan(0, 5, 0);
binding.OpenTimeout = new TimeSpan(0, 5, 0);
binding.ReceiveTimeout = new TimeSpan(0, 5, 0);
binding.SendTimeout = new TimeSpan(0, 5, 0);
tiagopsantos picture tiagopsantos on 1 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

apdirexyon picture apdirexyon  路  5Comments
martinspasovski picture martinspasovski  路  3Comments
mconnew picture mconnew  路  4Comments
mconnew picture mconnew  路  5Comments
woofer4444 picture woofer4444  路  4Comments