wcfwifsts-securitytokenservice

Authentication when using Security Token Service


I have created a Security Token Service (STS), an service with a reference to the STS and an example desktop application.

This works as expected when using Windows authentication and Message security, a token is retrieved from the STS and the service method is called successfully. The service returns a string containing the current users identity, which returns my AD username.

I have a requirement however to authenticate against a database rather than AD. I have tried creating a CustomUserNameValidator (in the STS, is this the correct place?) and referencing it in the web.config. I then provide the credentials as shown below.

SampleServiceReference.SampleServiceClient client = new SampleServiceReference.SampleServiceClient(); client.ClientCredentials.UserName.UserName = "alex"; client.ClientCredentials.UserName.Password = "pass";

I believe the certificates are set up correctly (all using 'localhost'), however I receive the following exception when calling the service:

System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.

Whatever I try seems to fail. Is what I am describing even possible? Does the service client also pass the client credentials through to the STS, or am I completely misunderstanding what is happening here?

This stackoverflow question is similar, however I have checked the audience URL and it seems ok. WIF STS ID3242

Has anyone got any advice on how I can achieve custom authentication when using a STS?


Solution

  • Update: the code samples referenced below are not available anymore (Codeplex doesn't exist). The book download does and it is here: https://www.microsoft.com/en-us/download/details.aspx?id=28362


    There's a simple example of what you need here: http://claimsid.codeplex.com

    Look at either sample 8 or 4.

    Small clarification though. The username/password authentication is on the STS, not on your service. Your service will authenticate with a security token obtained from the STS.