Home/ Questions/Q 9024671
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T06:04:53+00:00

I have a WCF service hosted on a single endpoint with <ws2007FederationHttpBinding> . The

  • 0

I have a WCF service hosted on a single endpoint with <ws2007FederationHttpBinding>. The service is secured using WIF tokens.

The service has one method void IsOnline() to determine the availability of the service. This method must be callable without a token and I cannot split the interfaces nor can I add another unsecured endpoint. (=configuration services limitations)

So, can I modify my binding to basically state “using WIF tokens is optional”? Or in other words: The service should use the claims and identity from the caller or use some kind of anonymous token if there was no token provided.

My current binding:

  <microsoft.identityModel>
    <service saveBootstrapTokens="true">
      <audienceUris>
        <add value="https://.../MyServiceCaller" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://.../MyFederationProviderHere" realm="https://.../MyServiceCaller" requireHttps="true" />
        <cookieHandler requireSsl="true" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
        </claimTypeRequired>
      </applicationService>
      <serviceCertificate>
        <certificateReference x509FindType="FindByThumbprint" findValue="123123" />
      </serviceCertificate>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="123123" name="My.Auth.FederationProvider" />
          <add thumbprint="456456" name="My.Auth.FederationProvider" />
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>
    ...
  <ws2007FederationHttpBinding>
    <binding name="Host_Ws2007FederationHttp_WithToken">
      <security>
        <message establishSecurityContext="false" issuedKeyType="BearerKey"
            issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
            negotiateServiceCredential="false">
          <tokenRequestParameters>
            <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
            </trust:SecondaryParameters>
          </tokenRequestParameters>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No – In WCF authentication requirements are per endpoint. You need a separate endpoint for your IsOnline operation. You then use a binding on this endpoint that allows anonymous connections.

    • 0