1

When i try to invoke a WCF service from an asp.net application (RP) which is authenticated by another asp.net application(IP) , I'm getting an error message with content of Login page (It is trying to reach the login page because it could not authenticate the request).

Identity Provider : _http://localhost/AuthenticatonWS/Login.aspx

Relying party Website : _http://localhost/RPWebsite/Default.aspx

WCF Service : _http://localhost/RPWebsite/Service1.svc

(In my solution I'm calling service1.svc from default.aspx.cs)

I don't want the service to be anonymous. Currently the site (RPWebsite) uses STS and trusts local Identity provider, but in production it can trust any external identity provider thru ADFS.

Can any one guide me how i can pass the token information to the service from aspx page, I did try several examples from internet but i could not get it working.

user1294385
  • 11
  • 2

2 Answers2

0

I think there are several options:

  1. Using Persistent Authentication Cookies that support multiple client sessions. Or support sharing session between your RP and WCF service, so that WCF can re-utilized the authentication cookies issued for RP when RP makes a call to WCF service. To be honest, I have never tried to implement this in action. It is just my theory.
  2. Create an separate authentication service which require no user-interaction (such as entering username/password). And then you have plenty of way to call WCF from your RP:
    • From your RP, ask the authentication service to issue a token for WCF; attach the token into request header of WCF call (e.g.: Authorization); then call WCF service. This requires a custom HttpModule to accept custom request header containing token at WCF service.
    • From your RP, you can also store UserName/Password, or an unique user identity claim which could identify the user; attach those information into request header of WCF call (e.g.: Authorization); then call WCF service. This also requires custom HttpModule to accept custom request header at WCF service.

I would recommend the second option, which you could find more useful information and guideline from Dominick Baier's blog.

Just my 2 cents.

Duy Pham
  • 35
  • 2
  • 11
0

The problem could very well be that the RPWebsite uses ClaimsAuthorizationModule in <system><httpModules> or <system.webserver><modules> in web.config. This causes any web service call to be redirected to the STS for authentication, as if it were an interactive browser request, as you observed.

Alternatively, this module can be added in the WIF-specific section of web.config, that is, in <microsoft.identityModel><service>, and in this case this module is only used for claims-based WCF web service calls. You add it in the following form: <claimsAuthorizationManager type="MyNamespace.CustomClaimsAuthenticationManager, MyAssembly"/>. (This type must extend ClaimsAuthorizationManager, as described in the WIF documentation page "ClaimsAuthenticationManager, ClaimsAuthorizationManager, and OriginalIssuer".)

Reference: Vittorio Bertocci, "Programming WIF", p. 43.

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108