Federation with InfoCard

The next step is to write some service code to crack open the security token selected by the user and passed to the service.

In the HelloService project, add a reference to System.IdentityModel.Claims.

Next we'll modify the service implementation in program.cs.

Add two using statements:

using System.IdentityModel.Claims; using System.IdentityModel.Policy;

Next modify the Hello class to display the claims in the service console window:

class Hello : IHello     {         public string Say()         {             GetIdentity();             return "Hello World";         }         private void GetIdentity()         {             AuthorizationContext ctx =               OperationContext.Current.ServiceSecurityContext.               AuthorizationContext;             foreach (ClaimSet claimSet in ctx.ClaimSets)             {                 foreach (Claim claim in claimSet)                 {                     Console.WriteLine();                     Console.WriteLine(claim.ClaimType);                     Console.WriteLine(claim.Resource);                     Console.WriteLine(claim.Right);                 }             }             return;         }     }

Now run the application and see what you get in the service console window.

You probably expected to see more claims. The reason you didn't is that we are using wsHttpBinding. This binding only allows a restricted claim set. To take advantage of all the claims in a security token, we need to use a federated binding.

Open the service app.config and add the following binding inside the <bindings> section after the existing <wsHttpBinding> section:

[View full width]
<wsFederationHttpBinding>   <binding name="helloFederatedBinding">     <security mode="Message">       <message issuedTokenType="urn:oasis:names:tc:SAML:1.0:assertion">         <claims>           <add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims /emailaddress"/>           <add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname"/>           <add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"/>           <add claimType="http://schemas.microsoft.com/ws/2005/05/identity/claims /privatepersonalidentifier"/>           <!-- add more claims here-->         </claims>         <issuer address="http://schemas.microsoft.com/ws/2005/05/identity/issuer/self"/>       </message>     </security>   </binding> </wsFederationHttpBinding>

Here we are specifying a policy that will only accept security tokens containing the EmailAddress, GivenName, Surname, and PrivatePersonalIdentifier claims and we are accepting self-issued security tokens.

We also need to modify our service endpoint to use this binding:

binding="wsFederationHttpBinding" bindingConfiguration="helloFederatedBinding"

That's our service app.config. Now let's turn our attention to the client app.config.

Cut and paste the <wsFederationHttpBinding> section you just entered into the <bindings> section or the client app.config, again after the existing <wsHttpBinding> section. Then change the binding and binding configuration under the client <endpoint>:

binding="wsFederationHttpBinding" bindingConfiguration="helloFederatedBinding"

Now run the application again and see what you get. This time you should get the EmailAddress, GivenName, Surname, and PrivatePersonalIdentifier claims displayed in the service console window.