WCF deny anyone without specific role using custom STS

Question

I've made an STS by overriding SecurityTokenService and hosted it using WCF. Also I've created a relying party and test client. Client is successfully redirected to the STS (the program stops if I put a breakpoint in GetOutputIdentity method). Now I need to deny acces in my RP for all users except one role. How can I do it? Her is my configuraion:

protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, 
        RequestSecurityToken request, 
        Scope scope)
    {
        string authenticationType = principal.Identity.AuthenticationType;

        var outputIdentity = new ClaimsIdentity(authenticationType);

        outputIdentity.AddClaim(new Claim(ClaimTypes.Role, role));
        outputIdentity.AddClaim(new Claim(ClaimTypes.Name, userName));
        return outputIdentity;
    }

Relying party configuration:

<customBinding>
        <binding name="secureBinding">
          <security authenticationMode="IssuedToken" requireDerivedKeys="false" >
            <issuedTokenParameters>
              <issuer address="http://localhost:1318/Services/SecurityTokenService.svc">
              </issuer>
              <issuerMetadata address="http://localhost:1318/Services/SecurityTokenService.svc/mex"></issuerMetadata>
            </issuedTokenParameters>
          </security>
          <httpTransport></httpTransport>
        </binding>
      </customBinding>

score 0 · Answer 1 · answered Apr 29 '15 at 08:24

0

You can use custom AuthorizationManager to validate each call of RP. This class provide CheckAccess method that implement you custom validation according to incoming claims.

answered Apr 29 '15 at 08:24

dmitry gilyaev

41
5

WCF deny anyone without specific role using custom STS

1 Answers1