<wsFederationHttpBinding>
Defines a binding that supports WS-Federation.
Schema Hierarchy
<system.serviceModel>
<bindings>
<wsFederationHttpBinding>
Syntax
<wsFederationHttpBinding>
<binding
bypassProxyOnLocal="Boolean"
closeTimeout="TimeSpan"
hostNameComparisonMode="StrongWildcard/Exact/WeakWildcard"
maxBufferPoolSize="integer"
maxReceivedMessageSize="integer"
messageEncoding="Text/Mtom"
name="string"
openTimeout="TimeSpan"
privacyNoticeAt="Uri"
privacyNoticeVersion="Integer"
proxyAddress="Uri"
receiveTimeout="TimeSpan"
sendTimeout="TimeSpan"
textEncoding="UnicodeFffeTextEncoding/Utf16TextEncoding/ Utf8TextEncoding"
transactionFlow="Boolean"
useDefaultWebProxy="Boolean">
<security mode="None/Message/TransportWithMessageCredential">
<message
algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15"
issuedTokenType="string"
issuedKeyType="SymmetricKey/PublicKey"
negotiateServiceCredential="Boolean" >
<claimTypeRequirements>
<add claimType="URI"
isOptional="Boolean" />
</claimTypeRequirements>
<issuer address="Uri" >
<headers>
<add name="String"
namespace="String" />
</headers>
<identity>
<certificate encodedValue="String"/>
<certificateReference findValue="String"
isChainIncluded="Boolean"
storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher"
storeLocation="LocalMachine/CurrentUser"
X509FindType=System.Security.Cryptography.X509certificates.X509findtype/>
<dns value="String"/>
<rsa value="String"/>
<servicePrincipalName value="String"/>
<usePrincipalName value="String"/>
</identity>
</issuer>
<issuerMetadata address=String" >
<headers>
<add name="String"
namespace="String" />
</headers>
<identity>
<certificate encodedValue="String"/>
<certificateReference findValue="String"
isChainIncluded="Boolean"
storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher"
storeLocation="LocalMachine/CurrentUser"
x509FindType=System.Security.Cryptography.X509certificates.X509findtype/>
<dns value="String"/>
<rsa value="String"/>
<servicePrincipalName value="String"/>
<usePrincipalName value="String"/>
</identity>
</issuerMetadata>
<tokenRequestParameters>
<xmlElement>
</xmlElement>
</tokenRequestParameters>
</message>
</security>
<reliableSession ordered="Boolean"
inactivityTimeout="TimeSpan"
enabled="Boolean" />
<readerQuotas maxArrayLength="Integer" maxBytesPerRead="Integer" maxDepth="Integer" maxNameTableCharCount="Integer" maxStringContentLength="Integer" /> </binding></wsFederationBinding>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
| Attribute | Description |
|---|---|
bypassProxyOnLocal |
A Boolean value that indicates whether to bypass the proxy server for local addresses. The default is false. |
closeTimeout |
A TimeSpan value that specifies the interval of time provided for a close operation to complete. This value should be greater than or equal to Zero. The default is 00:01:00. |
hostnameComparisonMode |
Specifies the HTTP hostname comparison mode used to parse URIs. This attribute is of type HostnameComparisonMode, which indicates whether the hostname is used to reach the service when matching on the URI. The default value is StrongWildcard, which ignores the hostname in the match. |
maxBufferPoolSize |
An integer that specifies the maximum buffer pool size for this binding. The default is 524,288 bytes (512 * 1024). Many parts of Windows Communication Foundation (WCF) use buffers. Creating and destroying buffers each time they are used is expensive, and garbage collection for buffers is also expensive. With buffer pools, you can take a buffer from the pool, use it, and return it to the pool once you are done. Thus the overhead in creating and destroying buffers is avoided. |
maxReceivedMessageSize |
A positive integer that specifies the maximum message size, in bytes, including headers, that can be received on a channel configured with this binding. The sender of a message exceeding this limit will receive a SOAP fault. The receiver drops the message and creates an entry of the event in the trace log. The default is 65536. |
messageEncoding |
Defines the encoder used to encode the message. Valid values include the following:
The default is Text. This attribute is of type WSMessageEncoding. |
name |
A string that contains the configuration name of the binding. This value should be unique because it is used as an identification for the binding. |
openTimeout |
A TimeSpan value that specifies the interval of time provided for an open operation to complete. This value should be greater than or equal to Zero. The default is 00:01:00. |
privactyNoticeAt |
A String that specifies a URI at which the privacy notice is located. |
privactyNoticeVersion |
An integer that specifies the version of the current privacy notice. |
proxyAddress |
A URI that specifies the address of the HTTP proxy. If useDefaultWebProxy is true, this setting must be null. The default is null. |
receiveTimeout |
A TimeSpan value that specifies the interval of time provided for a receive operation to complete. This value should be greater than or equal to Zero. The default is 00:10:00. |
sendTimeout |
A TimeSpan value that specifies the interval of time provided for a send operation to complete. This value should be greater than or equal to Zero. The default is 00:01:00. |
textEncoding |
Sets the character set encoding to be used for emitting messages on the binding. Valid values include the following:
The default is UTF8. This attribute is of type Encoding.. |
transactionFlow |
A Boolean value that specifies whether the binding supports flowing WS-Transactions. The default is false. |
useDefaultWebProxy |
A Boolean value that indicates whether the system’s auto-configured HTTP proxy is used. The proxy address must be null (that is, not set) if this attribute is true. The default is true. |
Child Elements
| Element | Description |
|---|---|
Defines the security settings for the message. This element is of type WSFederationHttpSecurityElement. |
|
Defines the constraints on the complexity of SOAP messages that can be processed by endpoints configured with this binding. This element is of type XmlDictionaryReaderQuotasElement. |
|
Specifies if reliable sessions are established between channel endpoints. |
Parent Elements
| Element | Description |
|---|---|
This element holds a collection of standard and custom bindings. Each entry is identified by its name. Services use bindings by linking them using the name. |
Remarks
Federation is the ability to share identities across multiple systems for authentication and authorization. These identities can refer to users or to machines. Federated HTTP supports SOAP security as well as mixed-mode security, but it does not support exclusively using transport security. This binding provides Windows Communication Foundation (WCF) support for the WS-Federation protocol. Services configured with this binding must use the HTTP transport.
Bindings consist of a stack of binding elements. The stack of binding elements in
wsFederationHttpBinding is the same as that contained in wsHttpBinding
when <security> of <wsFederationHttpBinding> is set to the default value of Message.
The wsFederationHttpBinding controls the details of the message security settings in <message> element of <wsFederationHttpBinding>. Note that the <security> of <wsFederationHttpBinding> element provides get access only as the security used by the binding cannot be changed once the binding is created.
The wsFederationHttpBinding also provides a privactyNoticeAt attribute to set and retrieve the URI at which the privacy notice is located.
Keeping policy secure is especially important in federation scenarios. The recommendation is to use some form of security, such as HTTPS, to protect the policy from malicious users.
In federation scenarios using this binding, the service policy potentially has important information such as the key to use to encrypt the issued (SAML) token, the type of claims to put in the token, and so forth. If this policy is tampered with, an attacker could discover the key of the issued token leading to further tampering, info disclosure and other malicious behavior. To help prevent this, the policy must be obtained securely (for example using HTTPS) from the service.
For more information on this binding, see How to: Create a WSFederationHttpBinding.
Example
<configuration>
<system.ServiceModel>
<bindings>
<wsFederationHttpBinding>
<binding name="test"
bypassProxyOnLocal="false"
transactionFlow="false"
hostNameComparisonMode="WeakWildcard"
maxReceivedMessageSize="1000"
messageEncoding="Mtom"
proxyAddress="http://foo/bar"
textEncoding="Utf16TextEncoding"
useDefaultWebProxy="false">
<reliableSession ordered="false"
inactivityTimeout="00:02:00" enabled="true" />
<security mode="None">
<message negotiateServiceCredential="false"
algorithmSuite="Aes128"
issuedTokenType="saml"
issuedKeyType="PublicKey">
<issuer address="https://localhost/Sts" />
</message>
</security>
</binding>
</wsFederationBinding>
</bindings>
</system.ServiceModel>
</configuration>
See Also
Reference
WSFederationHttpBinding
WSFederationHttpBindingElement
Concepts
Other Resources
How to: Create a WSFederationHttpBinding
Windows Communication Foundation Bindings
Configuring System-Provided Bindings
Using Bindings to Configure Services and Clients
© 2007 Microsoft Corporation. All rights reserved.
Last Published: 2010-01-05