wcfwifsamlws-trust

How to pass a certificate to WSTrust to get Saml Token


Here is an example of getting tokem using WSTrustChannelFactory. From here.

var stsBinding = new WS2007HttpBinding();
stsBinding.Security.Mode = SecurityMode.TransportWithMessageCredential;
stsBinding.Security.Message.EstablishSecurityContext = false;
stsBinding.Security.Message.NegotiateServiceCredential = false;
stsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;


WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
    stsBinding
    , new EndpointAddress(tokenurl)
    );
trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;

X509Store myStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
myStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection coll = myStore.Certificates.Find(X509FindType.FindBySerialNumber, "MycertSerialNumber", true);
X509Certificate2 cert = coll[0];
trustChannelFactory.Credentials.ClientCertificate.Certificate = cert;

WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();

RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, keyType);
rst.AppliesTo = new EndpointAddress(realm);
RequestSecurityTokenResponse rstr = null;
rst.TokenType = SecurityTokenTypes.Saml;

SecurityToken token = channel.Issue(rst, out rstr);

Now I don't have a username/password but the provider has given me certificate .pfx file. How do I pass it to the WSTrushChannelFactory? I have tried using CertificateBinding but no success.

Updated Code above: 11/05/2014:

Getting this error: ID3242: The security token could not be authenticated or authorized.


Solution

  • Use the ClientCertificate property:

    var stsBinding = new WS2007HttpBinding();
    stsBinding.Security.Mode = SecurityMode.TransportWithMessageCredential;
    stsBinding.Security.Message.EstablishSecurityContext = false;
    stsBinding.Security.Message.NegotiateServiceCredential = false;
    
    // select the authentication mode of Client Certificate
    stsBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
    
    var wifChannelFactory = new WSTrustChannelFactory(stsBinding, stsEndpoint);
    wifChannelFactory.TrustVersion = TrustVersion.WSTrust13;
    
    // Supply the credentials
    wifChannelFactory.Credentials.ClientCertificate.Certificate = config.Certificate;
    

    The PFX you can import to your certificate store via the certmgr.msc snapin. Make sure that the account your application is running as has access to the private key. You can reference it in the store using the x509certificate2 classes.