hosting a federation-enabled web site client and WCF service in azure websites


Using visual studio 2012 and webmatrix tool chain components we managed to make a client and server hosted in azure websites. This gives us simple hosting, SSL and domain names, etc.

Using Webmatrix we made a simple mobile site. Then we opened that site and the solution in visual studio 2012. TO the solution we added another project, based on the WCF application wizard. We published each to a separate azure website, before starting on the federation enablement.

image

In short, we used the Identity and Access tool to frame out the basic web.config elements for both the WCF client (built into the web site, using a service reference) and the WCF service. However, we ended up performing quite a fair amount of specialization of the default values, to suit what azure website hosting will and will not do.

We had to change the message-centric bindings to transportwithcredential bindings, use bearerKeys (to avoid referencing a certificate on the host), ensure on the client that the issuer actually references the binding configuration to be used between client and STS, and replace the validating trust concept with the more typical fixed configuration based issuer name registry (since our STS does not public metadata in a manner to be used to automatic trust fabric and key management).

The client :

<?xml version="1.0"?>
<configuration>
  <system.web>
    <customErrors mode="Off"></customErrors>
    <compilation debug="true" targetFramework="4.0"/>
  </system.web>
  <system.serviceModel>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="WS2007FederationHttpBinding_IService1">
          <security mode="TransportWithMessageCredential">
            <message establishSecurityContext="false" issuedKeyType="BearerKey">
              <issuer address="https://ssoserviceslax.rapmls.com/Issuer.svc/13/MLS/BARI/32/BARI" 
                      binding="ws2007HttpBinding" />
              <issuerMetadata address="https://ssoportallax.rapmls.com/spinitiatedssohandler.aspx/BARI/32" />
              <tokenRequestParameters>
                <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                  <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
                  <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                  <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                </trust:SecondaryParameters>
              </tokenRequestParameters>
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
      <ws2007HttpBinding>
        <binding>
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" />
            <message clientCredentialType="UserName" negotiateServiceCredential="false"
              establishSecurityContext="false" />
          </security>
        </binding>
      </ws2007HttpBinding>
    </bindings>
    <client>
      <endpoint address="https://resows.azurewebsites.net/Service1.svc"
        binding="ws2007FederationHttpBinding" 
                bindingConfiguration="WS2007FederationHttpBinding_IService1"
        contract="ServiceReference1.IService1" name="WS2007FederationHttpBinding_IService1" />
      <endpoint address="https://localhost:44300/Service1.svc"
        binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IService1"
        contract="ServiceReference1.IService1" name="WS2007FederationHttpBinding_IService2" />
    </client>
  </system.serviceModel>
</configuration>

The server


<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
    <add key="ida:FederationMetadataLocation" value="https://ssoportallax.rapmls.com/spinitiatedssohandler.aspx/BARI/32" />
    <add key="ida:ProviderSelection" value="productionSTS" />
  </appSettings>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel"
              switchValue="Information, ActivityTracing"
              propagateActivity="true">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="CardSpace">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="System.IO.Log">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="System.Runtime.Serialization">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="System.IdentityModel">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="System.ServiceModel.MessageLogging">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
    </sources>

    <sharedListeners>
      <add name="xml"
            type="System.Diagnostics.XmlWriterTraceListener"
            initializeData="c:\log\Traces.svclog" />
    </sharedListeners>
  </system.diagnostics>
  <system.web>
    <customErrors mode="Off"></customErrors>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
  </system.web>
  <system.serviceModel>
      <diagnostics>
        <messageLogging 
             logEntireMessage="true" 
             logMalformedMessages="false"
             logMessagesAtServiceLevel="true" 
             logMessagesAtTransportLevel="true"
             maxMessagesToLog="3000"
             maxSizeOfMessageToLog="2000"/>
      </diagnostics>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials useIdentityConfiguration="true">
            <!--Certificate added by Identity and Access Tool for Visual Studio.-->
            <!--<serviceCertificate findValue="CN=*.azurewebsites.net" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />-->
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
      <add scheme="https" binding="ws2007FederationHttpBinding" />
    </protocolMapping>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="">
          <security mode="TransportWithMessageCredential">
            <message establishSecurityContext="false"  negotiateServiceCredential="false" 
                     issuedKeyType="BearerKey">
              <issuerMetadata address="https://ssoserviceslax.rapmls.com/Issuer.svc/13/MLS/BARI/32/BARI" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <directoryBrowse enabled="true" />
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://resows.azurewebsites.net/Service1.svc" />
        <add value="https://localhost:44300/Service1.svc" />
      </audienceUris>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
        <trustedIssuers>
          <add thumbprint="3D395125055F73731C0C1F7B16D8CD23A79B2C3E"
               name="https://ssoportallax.rapmls.com/spinitiatedssohandler.aspxbari" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
  </system.identityModel>
</configuration>

client programming:

@{

    ServiceReference1.Service1Client svc 
        = new ServiceReference1.Service1Client("WS2007FederationHttpBinding_IService1");
    svc.ClientCredentials.UserName.UserName = "rapstaff";
    svc.ClientCredentials.UserName.Password = "foo";
    svc.ClientCredentials.SupportInteractive = false;

    string r = svc.GetData(DateTime.Now.Second);    
}

<!DOCTYPE html>

<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>My Site's Title</title>
        <link href="~/favicon.ico" rel="shortcut icon" type="image/x-icon" />
    </head>
    <body>
        Hello @r
    </body>
</html>

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in azure. Bookmark the permalink.