Securing WCF Services with ACS

Updated: June 19, 2015

Applies To: Azure

Scenario

In this scenario a WCF SOAP Service needs to integrate a third-party authentication and an identity management system

ACS v2 WCF Scenario

There are several challenges associated with the scenario:

How to configure WCF bindings to request a token from ACS?
How to validate the incoming token issued by the identity provider?
How to parse the incoming token?
How to implement authorization checks?
How to transform tokens by adding, removing, or changing the claims types and values?
How to do all of the above using configuration rather than coding?

ACS provides a solution to the scenario as depicted in the following image.

ACS v2 WCF Scenario and Solution

The UserNameWSTrustBinding, CertificateWSTrustBinding, and IssuedTokenWSTrustBinding classes are available as part of the Windows Identity Foundation’s (WIF) Microsoft.IdentityModel.Protocols.WSTrust.Bindings namespace and they are used to request a token from ACS.
Windows Identity Foundation (WIF) is used to validate incoming tokens.
Windows Identity Foundation (WIF) is used to parse the incoming tokens.
Windows Identity Foundation (WIF) is used to implement authorization checks.
The ACS rule engine is used to transform tokens.
Most of the work is done using the configuration either in the application’s web.config or/and through the ACS Management Portal.

Category	Topics
Authentication	Explained Service Identities
Authorization	Explained Authorization in Claims-Aware Web Applications and Services How-To’s How to: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using WIF and ACS How to: Implement Role Based Access Control (RBAC) in a Claims-Aware ASP.NET Application Using WIF and ACS
Token flow and transformation	Explained Token Formats Supported in ACS Rule Groups and Rules How-To’s How to: Implement Token Transformation Logic Using Rules
Trust management	Explained Certificates and Keys
Code Sample	Code Sample: ASP.NET Web Service