Skip to main content

CoreService and ADFS with Issued Token

Image
By
If in an earlier post CoreService with ADFS, I was talking about XML configuration of the .NET client application when connecting to a SDL Web 8.5 instance secured with ADFS, in this post I am showing another way of connecting to the CoreService, namely using a SAML token requested through code rather than configuration.

The main steps in this approach are:
  • client .NET Console application requests programmatically a SAML token from the ADFS server
  • client creates connection using issued token
The setup on the SDL Web server and the configurations of the CoreService web-service are identical to those presented in the earlier post, therefore I won't mention them again here.

App.Config

The client is a .NET Console application using an App.config which defines the following CoreService endpoint:

<system.serviceModel>
  <bindings>
    <ws2007FederationHttpBinding>
      <binding name="myCoreServiceBinding" maxReceivedMessageSize="10485760">
        <security mode="TransportWithMessageCredential">
          <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
            <issuer address="http://some.url" binding="basicHttpBinding" />
          </message>
        </security>
      </binding>
    </ws2007FederationHttpBinding>
  </bindings>

  <client>
    <endpoint address="https://web85.playground/webservices/CoreService201603.svc/wsFederationHttp"
      binding="ws2007FederationHttpBinding" bindingConfiguration="myCoreServiceBinding"
      contract="MyCoreService.ISessionAwareCoreService" name="coreServiceFederation">
      <identity>
        <dns value="web85.playground"/>
      </identity>
    </endpoint>
  </client>
</system.serviceModel>

Note that the security is setup as TransportWithMessageCredential, which means HTTPS containing some message that contains the user credential. Furthermore, the format of the message is defined as SAML v2. The issuer of the SAML token is set to a fictitious address, but it has to be specified, otherwise we get System.IdentityModel.Selectors.CardSpaceException.

The client uses generated CoreService proxy classes and this helps also in creating the client endpoint above.

Client Code

The client makes 2 separate calls when creating a channel with the CoreService:
  • get SAML token from ADFS server
  • open connection to CoreService using issued token
The method GetToken() calls the Security Toke Service (STS) endpoint on the ADFS server, i.e. https://myadfs.com/adfs/services/trust/2005/usernamemixed, passes in the username, password and Relying Party identifier, and requests a SAML2 token. If username / password are correct, then ADFS issues an encrypted SAML token.

public SecurityToken GetToken()
{
    WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);
    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
    binding.Security.Message.EstablishSecurityContext = false;

    var endpoint = new EndpointAddress(stsUrl);

    using (var factory = new WSTrustChannelFactory(binding, endpoint))
    {
        factory.Credentials.UserName.UserName = username;
        factory.Credentials.UserName.Password = password;
        IWSTrustChannelContract channel = factory.CreateChannel();

        RequestSecurityToken request = new RequestSecurityToken
        {
            RequestType = RequestTypes.Issue,
            AppliesTo = new EndpointReference(audienceId),
            TokenType = "urn:oasis:names:tc:SAML:2.0:assertion"
        };

        return channel.Issue(request);
    }
}

The client won't decrypt the token, but rather will send it further to the CoreService when creating the connection. The token is only decrypted on the SDL Web server.

In the code below a ChannelFactory is created around the ISessionAwareCoreService generated proxy. Then we create an actual channel to the CoreService by passing the SAML token to the ChannelFactory in method CreateChannelWithIssuedToken.

The server decrypts the token, extracts the user in it and creates a security context for that user. During the established session, the operations with the web service happen in the name of the impersonated user.

SecurityToken token = GetToken();

using (var factory = new ChannelFactory<ISessionAwareCoreService>("coreServiceFederation"))
{
    factory.Credentials.UseIdentityConfiguration = true;
    ISessionAwareCoreService coreService = factory.CreateChannelWithIssuedToken(token);

    Console.WriteLine("API Version: {0}", coreService.GetApiVersion());

    UserData user = coreService.GetCurrentUser();
    Console.WriteLine("User: {0} | {1} | {2}", user.Title, user.Description, user.Id);
}



Labels:

Comments

Post a Comment

Popular posts from this blog

Running sp_updatestats on AWS RDS database

By
Part of the maintenance tasks that I perform on a MSSQL Content Manager database is to run stored procedure sp_updatestats . exec sp_updatestats However, that is not supported on an AWS RDS instance. The error message below indicates that only the sa  account can perform this: Msg 15247 , Level 16 , State 1 , Procedure sp_updatestats, Line 15 [Batch Start Line 0 ] User does not have permission to perform this action. Instead there are several posts that suggest using UPDATE STATISTICS instead: https://dba.stackexchange.com/questions/145982/sp-updatestats-vs-update-statistics I stumbled upon the following post from 2008 (!!!), https://social.msdn.microsoft.com/Forums/sqlserver/en-US/186e3db0-fe37-4c31-b017-8e7c24d19697/spupdatestats-fails-to-run-with-permission-error-under-dbopriveleged-user , which describes a way to wrap the call to sp_updatestats and execute it under a different user: create procedure dbo.sp_updstats with execute as 'dbo' as
1 comment
Read more

Scaling Policies

By
This post is part of a bigger topic Autoscaling Publishers in AWS . In a previous post we talked about the Auto Scaling Groups , but we didn't go into details on the Scaling Policies. This is the purpose of this blog post. As defined earlier, the Scaling Policies define the rules according to which the group size is increased or decreased. These rules are based on instance metrics (e.g. CPU), CloudWatch custom metrics, or even CloudWatch alarms and their states and values. We defined a Scaling Policy with Steps, called 'increase_group_size', which is triggered first by the CloudWatch Alarm 'Publish_Alarm' defined earlier. Also depending on the size of the monitored CloudWatch custom metric 'Waiting for Publish', the Scaling Policy with Steps can add a difference number of instances to the group. The scaling policy sets the number of instances in group to 1 if there are between 1000 and 2000 items Waiting for Publish in the queue. It also sets the
Post a Comment
Read more

I Have Gone Dark

By Unknown
Maybe it's the Holidays, but my mood has gone pretty dark. That is, regarding the look and feel of my computer and Tridion CME, of course. What I did was to dim the lights on the operating system, so I installed Placebo themes for Windows 7 . I went for the Ashtray look -- great name :) My VM looks now like this: But, once you change the theme on Windows, you should 'match' the theme of your applications. Some skin easily, some not. The Office suite has an in-built scheme, which can be set to Black , but it doesn't actually dim the ribbon tool bars -- it looks quite weird. Yahoo Messenger is skinnable, but you can't change the big white panels where you actually 'chat'. Skype is not skinnable at all. For Chrome, there are plenty of grey themes. Now i'm using Pro Grey . But then I got into changing the theme of websites. While very few offer skinnable interfaces (as GMail does), I had to find a way to darken the websites... Enter Stylish -- a pl
4 comments
Read more