If in an earlier post CoreService with ADFS, I was talking about XML configuration of the .NET client application when connecting to a SDL Web 8.5 instance secured with ADFS, in this post I am showing another way of connecting to the CoreService, namely using a SAML token requested through code rather than configuration.
The main steps in this approach are:
Note that the security is setup as TransportWithMessageCredential, which means HTTPS containing some message that contains the user credential. Furthermore, the format of the message is defined as SAML v2. The issuer of the SAML token is set to a fictitious address, but it has to be specified, otherwise we get System.IdentityModel.Selectors.CardSpaceException.
The client uses generated CoreService proxy classes and this helps also in creating the client endpoint above.
The client won't decrypt the token, but rather will send it further to the CoreService when creating the connection. The token is only decrypted on the SDL Web server.
In the code below a ChannelFactory is created around the ISessionAwareCoreService generated proxy. Then we create an actual channel to the CoreService by passing the SAML token to the ChannelFactory in method CreateChannelWithIssuedToken.
The server decrypts the token, extracts the user in it and creates a security context for that user. During the established session, the operations with the web service happen in the name of the impersonated user.
The main steps in this approach are:
- client .NET Console application requests programmatically a SAML token from the ADFS server
- client creates connection using issued token
The setup on the SDL Web server and the configurations of the CoreService web-service are identical to those presented in the earlier post, therefore I won't mention them again here.
App.Config
The client is a .NET Console application using an App.config which defines the following CoreService endpoint:
<system.serviceModel> <bindings> <ws2007FederationHttpBinding> <binding name="myCoreServiceBinding" maxReceivedMessageSize="10485760"> <security mode="TransportWithMessageCredential"> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"> <issuer address="http://some.url" binding="basicHttpBinding" /> </message> </security> </binding> </ws2007FederationHttpBinding> </bindings> <client> <endpoint address="https://web85.playground/webservices/CoreService201603.svc/wsFederationHttp" binding="ws2007FederationHttpBinding" bindingConfiguration="myCoreServiceBinding" contract="MyCoreService.ISessionAwareCoreService" name="coreServiceFederation"> <identity> <dns value="web85.playground"/> </identity> </endpoint> </client> </system.serviceModel>
Note that the security is setup as TransportWithMessageCredential, which means HTTPS containing some message that contains the user credential. Furthermore, the format of the message is defined as SAML v2. The issuer of the SAML token is set to a fictitious address, but it has to be specified, otherwise we get System.IdentityModel.Selectors.CardSpaceException.
The client uses generated CoreService proxy classes and this helps also in creating the client endpoint above.
Client Code
The client makes 2 separate calls when creating a channel with the CoreService:- get SAML token from ADFS server
- open connection to CoreService using issued token
public SecurityToken GetToken() { WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential); binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName; binding.Security.Message.EstablishSecurityContext = false; var endpoint = new EndpointAddress(stsUrl); using (var factory = new WSTrustChannelFactory(binding, endpoint)) { factory.Credentials.UserName.UserName = username; factory.Credentials.UserName.Password = password; IWSTrustChannelContract channel = factory.CreateChannel(); RequestSecurityToken request = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(audienceId), TokenType = "urn:oasis:names:tc:SAML:2.0:assertion" }; return channel.Issue(request); } }
The client won't decrypt the token, but rather will send it further to the CoreService when creating the connection. The token is only decrypted on the SDL Web server.
In the code below a ChannelFactory is created around the ISessionAwareCoreService generated proxy. Then we create an actual channel to the CoreService by passing the SAML token to the ChannelFactory in method CreateChannelWithIssuedToken.
The server decrypts the token, extracts the user in it and creates a security context for that user. During the established session, the operations with the web service happen in the name of the impersonated user.
SecurityToken token = GetToken(); using (var factory = new ChannelFactory<ISessionAwareCoreService>("coreServiceFederation")) { factory.Credentials.UseIdentityConfiguration = true; ISessionAwareCoreService coreService = factory.CreateChannelWithIssuedToken(token); Console.WriteLine("API Version: {0}", coreService.GetApiVersion()); UserData user = coreService.GetCurrentUser(); Console.WriteLine("User: {0} | {1} | {2}", user.Title, user.Description, user.Id); }
Comments