I'm trying to understand what I need to develop a framework using WCF, Claims and ADFS 3.0. The internal users will authenticate against Active Directory, External User authenticate against SQL Server table and the authorization is stored in database tables implementing groups and permission. I am creating a API using WCF not Web Api or OWIN.
I'm not interested in using Identity Server or 3rd party products, I just want to know how I create a Custom Security Token Service to read from my membership table and set claims via my Groups and Permissions table.
I can find no information on any of this. There is no Identity and Access control in Visual Studio 2015 and there seems to be nothing using WCF, only using Web Api, OWIN and MVC?
When I' am developing claims aware WCF application like yours, I ran through this link that makes me understood how it works. The only thing that is not quite similar to your needs is that it is not ADFS 3.0.
And I don't think you can use both ADFS for internal user and SQL for external "like membership" at the same time/together. All I know is that you can trust other company's ADFS as other identity provider.
If you are referring to How to Build Claims Aware WCF here are some available links.
Nonetheless, the link is still active that support .Net 4.5 & 4.6 and WIF is already part of the framework unlike before that you need to install WIF.
Below is the fragment of my WCF Service configuration :
Bindings
<bindings>
    <ws2007FederationHttpBinding>
        <binding name="ws2007FederationHttpBinding">
            <security mode="TransportWithMessageCredential">
                <message establishSecurityContext="false" negotiateServiceCredential="false">
                    <issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex"/>
                    <issuer address="https://<asfs aserver>:9643/adfs/services/trust/13/usernamemixed"/>
                </message>
            </security>
        </binding>
    </ws2007FederationHttpBinding>
</bindings>
Identity Configuration
<system.identityModel>
    <identityConfiguration name="serviceidentity">
        <audienceUris mode="Never">
            <add value="https://localhost/FedSecurity/"/>
        </audienceUris>
        <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="http://<asfs aserver>:9643/adfs/services/trust">
                <keys >
                    <add thumbprint="8D6BF173ERERERFDFE9CE9CD0FB57FB57A5D68403EA88" name="http://<asfs aserver>:9643/adfs/services/trust" />
                </keys>
                <validIssuers>
                    <add name="http://<asfs aserver>:9643/adfs/services/trust" />
                </validIssuers>
            </authority>
        </issuerNameRegistry>
        <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
        <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
</system.identityModel>
Fragment Configuration of my WCF Client
<system.serviceModel>
        <bindings>
            <ws2007FederationHttpBinding>
                <binding name="ws2007FederationHttpBinding">
                    <security mode="TransportWithMessageCredential">
                        <message establishSecurityContext="false">
                            <issuer address="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed"
                                binding="ws2007HttpBinding" bindingConfiguration="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed" />
                            <issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex" />
                            <tokenRequestParameters>
                                <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                    <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                    <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                                    <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                                    <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                                    <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                                    <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                                    <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                                </trust:SecondaryParameters>
                            </tokenRequestParameters>
                        </message>
                    </security>
                </binding>
            </ws2007FederationHttpBinding>
            <ws2007HttpBinding>
                <binding name="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed">
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" />
                        <message clientCredentialType="UserName" establishSecurityContext="false" />
                    </security>
                </binding>
            </ws2007HttpBinding>
        </bindings>
        <client>
            <endpoint address="https://localhost/FedSecurity/CloudService.svc"
                binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding"
                contract="CloudBeta.ICloudSevice" name="ws2007FederationHttpBinding" />
        </client>
</system.serviceModel>
Additional info :
I hope this information would help you!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With