0

We have extended SecurityTokenService provided by Windows Identity Foundation (WIF). It issues token as expected and the SAML token is added in the SOAP header while calling every other WCF service we have.

I can see correct values in the NotBefore and NotOnOrAfter Saml Conditions present in the security token.

But surprisingly every call to other WCF services succeeds even when service is called after the time stamp present in NotOnOrAfter Saml condition that's present in the security token in the SOAP header.

  1. I do not understand why it happens. Do I need to write some code to reject the call having expired security token?
  2. Do I need to create custom binding or behavior for it?
  3. Does not WIF or WCF take care of this basic thing automatically?
  4. Great if you could point me to some good documentation that explains things happening under the hood !

I am using .NET 4.0

Learner
  • 4,661
  • 9
  • 56
  • 102
  • Just a guess: Does your WCF services use sessions? I wouldn't necessarily expect the token to be re-evaluated for expiration in the middle of a session. – jlew Nov 01 '12 at 12:45
  • We don't use sessions... – Learner Nov 01 '12 at 15:39
  • I this a WS-Federation (web page) or WS-Trust (active client) scenario? – Grzegorz W Nov 04 '12 at 10:57
  • @Grzegorz Wilczura : We do not have any web pages. We have WCF services which are secured using STS. Client is a WinForm application which authenticates user with STS, gets security token and call other WCF services. – Learner Nov 05 '12 at 05:38
  • @Grzegorz Wilczura : Using .NET 4.0 – Learner Nov 07 '12 at 12:31

2 Answers2

1

This validation is provided by SecurityTokenHandler. Which token handler is used depends on your token type and your configuration.

Answering your points:

  1. This depends on token handler. For saml tokens this should be done for you.
  2. Usually - No.
  3. Like in point 1.
  4. I personally dissasemble Microsoft.IdentityModel.dll.

Check your web.config for <microsoft.identityModel><service><securityTokenHandlers> section. If it is changed and You use custom handler than you might have overriden the default behavior implemented in SecurityTokenHandler.ValidateToken. If not then You have to figure out your token type. If it is SAML1.1 or SAML2.0 then it should be validated. If not then please share your token type.

Grzegorz W
  • 3,487
  • 1
  • 21
  • 21
0

Call to wcf service will rejected after ValitTo date expires plus time from MaxClockSkew parameter. You can manage this parameter by configuring service.

dmitry gilyaev
  • 41
  • 5