public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses) { // <!-- IssuerName Configuration - ha50idpm2 --> string idpEntityId = WebConfigurationManager.AppSettings["IdpEntityId"]; CustomSecurityTokenServiceConfiguration config = new CustomSecurityTokenServiceConfiguration(idpEntityId); // Create a security token handler collection and then provide with a SAML2 security token // handler and set the Audience restriction to Never SecurityTokenHandlerCollection onBehalfOfHandlers = new SecurityTokenHandlerCollection(); OnBehalfOfSaml2SecurityTokenHandler onBehalfOfTokenHandler = new OnBehalfOfSaml2SecurityTokenHandler(); onBehalfOfHandlers.Add(onBehalfOfTokenHandler); // Do not process the Audience in the incoming OnBehalfOf token since this token // is not for authenticating with the ADS onBehalfOfHandlers.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never; // Set the appropriate issuer name registry onBehalfOfHandlers.Configuration.IssuerNameRegistry = new IdpAdsIssuerNameRegistry(); // Set the token handlers collection config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.OnBehalfOf] = onBehalfOfHandlers; WSTrustServiceHost host = new WSTrustServiceHost(config, baseAddresses); host.Description.Endpoints[0].Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign; return host; }
public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses) { string issuerName = WebConfigurationManager.AppSettings["IssuerName"]; string signingCertificateThumbPrint = WebConfigurationManager.AppSettings["SigningCertificateThumbprint"]; string issuerCertificateThumbPrint = WebConfigurationManager.AppSettings["IssuerCertificateThumprint"]; var config = new STSConfiguration(issuerName, signingCertificateThumbPrint, issuerCertificateThumbPrint); Uri baseuri = baseAddresses.FirstOrDefault(x => x.Scheme == Uri.UriSchemeHttps); if (baseuri == null) { throw new FaultException("The STS should be hosed in https"); } WSTrustServiceHost host = new WSTrustServiceHost(config, baseAddresses); host.AddServiceEndpoint(typeof(IWSTrust13SyncContract), STSBinging, baseuri.AbsoluteUri); return host; }
/// <summary> /// Creates a service host to process WS-Trust 1.3 requests /// </summary> /// <param name="constructorString">The constructor string.</param> /// <param name="baseAddresses">The base addresses.</param> /// <returns>A WS-Trust ServiceHost</returns> public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses) { var globalConfiguration = ConfigurationRepository.Configuration; var config = CreateSecurityTokenServiceConfiguration(constructorString); var host = new WSTrustServiceHost(config, baseAddresses); // add behavior for load balancing support host.Description.Behaviors.Add(new UseRequestHeadersForMetadataAddressBehavior()); // modify address filter mode for load balancing var serviceBehavior = host.Description.Behaviors.Find<ServiceBehaviorAttribute>(); serviceBehavior.AddressFilterMode = AddressFilterMode.Any; // add and configure a mixed mode security endpoint if (ConfigurationRepository.Endpoints.WSTrustMixed) { EndpointIdentity epi = null; if (ConfigurationRepository.Configuration.EnableStrongEpiForSsl) { if (ConfigurationRepository.SslCertificate.Certificate == null) { throw new ServiceActivationException("No SSL certificate configured for strong endpoint identity."); } epi = EndpointIdentity.CreateX509CertificateIdentity(ConfigurationRepository.SslCertificate.Certificate); } if (globalConfiguration.EnableClientCertificates) { var sep2 = host.AddServiceEndpoint( typeof(IWSTrust13SyncContract), new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential), Endpoints.Paths.WSTrustMixedCertificate); if (epi != null) { sep2.Address = new EndpointAddress(sep2.Address.Uri, epi); } } var sep = host.AddServiceEndpoint( typeof(IWSTrust13SyncContract), new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), Endpoints.Paths.WSTrustMixedUserName); if (epi != null) { sep.Address = new EndpointAddress(sep.Address.Uri, epi); } } // add and configure a message security endpoint if (ConfigurationRepository.Endpoints.WSTrustMessage) { var credential = new ServiceCredentials(); credential.ServiceCertificate.Certificate = ConfigurationRepository.SigningCertificate.Certificate; host.Description.Behaviors.Add(credential); if (globalConfiguration.EnableClientCertificates) { host.AddServiceEndpoint( typeof(IWSTrust13SyncContract), new CertificateWSTrustBinding(SecurityMode.Message), Endpoints.Paths.WSTrustMessageCertificate); } host.AddServiceEndpoint( typeof(IWSTrust13SyncContract), new UserNameWSTrustBinding(SecurityMode.Message), Endpoints.Paths.WSTrustMessageUserName); } return host; }