public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses)
{
// <!-- IssuerName Configuration - ha50idpm2 -->
string idpEntityId = WebConfigurationManager.AppSettings["IdpEntityId"];
CustomSecurityTokenServiceConfiguration config = new CustomSecurityTokenServiceConfiguration(idpEntityId);
// Create a security token handler collection and then provide with a SAML2 security token
// handler and set the Audience restriction to Never
SecurityTokenHandlerCollection onBehalfOfHandlers = new SecurityTokenHandlerCollection();
OnBehalfOfSaml2SecurityTokenHandler onBehalfOfTokenHandler = new OnBehalfOfSaml2SecurityTokenHandler();
onBehalfOfHandlers.Add(onBehalfOfTokenHandler);
// Do not process the Audience in the incoming OnBehalfOf token since this token
// is not for authenticating with the ADS
onBehalfOfHandlers.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
// Set the appropriate issuer name registry
onBehalfOfHandlers.Configuration.IssuerNameRegistry = new IdpAdsIssuerNameRegistry();
// Set the token handlers collection
config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.OnBehalfOf] = onBehalfOfHandlers;
WSTrustServiceHost host = new WSTrustServiceHost(config, baseAddresses);
host.Description.Endpoints[0].Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
return host;
}
public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses)
{
string issuerName = WebConfigurationManager.AppSettings["IssuerName"];
string signingCertificateThumbPrint = WebConfigurationManager.AppSettings["SigningCertificateThumbprint"];
string issuerCertificateThumbPrint = WebConfigurationManager.AppSettings["IssuerCertificateThumprint"];
var config = new STSConfiguration(issuerName, signingCertificateThumbPrint, issuerCertificateThumbPrint);
Uri baseuri = baseAddresses.FirstOrDefault(x => x.Scheme == Uri.UriSchemeHttps);
if (baseuri == null)
{
throw new FaultException("The STS should be hosed in https");
}
WSTrustServiceHost host = new WSTrustServiceHost(config, baseAddresses);
host.AddServiceEndpoint(typeof(IWSTrust13SyncContract), STSBinging, baseuri.AbsoluteUri);
return host;
}
/// <summary>
/// Creates a service host to process WS-Trust 1.3 requests
/// </summary>
/// <param name="constructorString">The constructor string.</param>
/// <param name="baseAddresses">The base addresses.</param>
/// <returns>A WS-Trust ServiceHost</returns>
public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses)
{
var globalConfiguration = ConfigurationRepository.Configuration;
var config = CreateSecurityTokenServiceConfiguration(constructorString);
var host = new WSTrustServiceHost(config, baseAddresses);
// add behavior for load balancing support
host.Description.Behaviors.Add(new UseRequestHeadersForMetadataAddressBehavior());
// modify address filter mode for load balancing
var serviceBehavior = host.Description.Behaviors.Find<ServiceBehaviorAttribute>();
serviceBehavior.AddressFilterMode = AddressFilterMode.Any;
// add and configure a mixed mode security endpoint
if (ConfigurationRepository.Endpoints.WSTrustMixed)
{
EndpointIdentity epi = null;
if (ConfigurationRepository.Configuration.EnableStrongEpiForSsl)
{
if (ConfigurationRepository.SslCertificate.Certificate == null)
{
throw new ServiceActivationException("No SSL certificate configured for strong endpoint identity.");
}
epi = EndpointIdentity.CreateX509CertificateIdentity(ConfigurationRepository.SslCertificate.Certificate);
}
if (globalConfiguration.EnableClientCertificates)
{
var sep2 = host.AddServiceEndpoint(
typeof(IWSTrust13SyncContract),
new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential),
Endpoints.Paths.WSTrustMixedCertificate);
if (epi != null)
{
sep2.Address = new EndpointAddress(sep2.Address.Uri, epi);
}
}
var sep = host.AddServiceEndpoint(
typeof(IWSTrust13SyncContract),
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
Endpoints.Paths.WSTrustMixedUserName);
if (epi != null)
{
sep.Address = new EndpointAddress(sep.Address.Uri, epi);
}
}
// add and configure a message security endpoint
if (ConfigurationRepository.Endpoints.WSTrustMessage)
{
var credential = new ServiceCredentials();
credential.ServiceCertificate.Certificate = ConfigurationRepository.SigningCertificate.Certificate;
host.Description.Behaviors.Add(credential);
if (globalConfiguration.EnableClientCertificates)
{
host.AddServiceEndpoint(
typeof(IWSTrust13SyncContract),
new CertificateWSTrustBinding(SecurityMode.Message),
Endpoints.Paths.WSTrustMessageCertificate);
}
host.AddServiceEndpoint(
typeof(IWSTrust13SyncContract),
new UserNameWSTrustBinding(SecurityMode.Message),
Endpoints.Paths.WSTrustMessageUserName);
}
return host;
}
