Can I create a service with WCF that generate SupportingTokens policy?

Question

I am setting an existing WCF service to meet some client requirements. One of the demands is to use a UserNameToken authentication on a service with WS-Addressing disabled and the policy generated on the WSDL in 'SupportingTokens' format, as below.

 <wsp:Policy wsu:Id="wss_username_token_service_policy"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssUsernameToken10 />
                    </wsp:Policy>
                </sp:UsernameToken>
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:Policy>

I tried many configurations but always get a tag "sp:SignedSupportingTokens" or other than "sp:SupportingTokens".

At the documentation seems to be nothing specific to this.

According to Ladislav Mrnka in this post, seems to be no support for this assertion type.

If this is correct, it is not possible to generate that wsdl using WCF?

Follows the binding and behavior configurations.

binding:

<customBinding>        
        <binding name="httpsBinding" openTimeout="00:10:00" closeTimeout="00:10:00" sendTimeout="00:10:00" receiveTimeout="00:10:00">
          <security authenticationMode="UserNameOverTransport" allowInsecureTransport="true"  />
             <mtomMessageEncoding messageVersion="Soap12" >
                 <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" 
                            maxBytesPerRead="2147483647" 
                            maxNameTableCharCount="2147483647" />              
             </mtomMessageEncoding>
          <httpsTransport maxReceivedMessageSize="2147483647" />          
        </binding>        
      </customBinding>

behavior:

<behavior name="svcSslAndUserNamePasswordBehavior">
          <serviceMetadata httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="true" serviceAuthorizationAuditLevel="Failure" 
                                messageAuthenticationAuditLevel="Failure" />
          <serviceCredentials>

            <serviceCertificate findValue="certificateInfo" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
            <userNameAuthentication userNamePasswordValidationMode="Custom" 
                                    customUserNamePasswordValidatorType="UserManagement.UserNameValidator" />            
          </serviceCredentials>
        </behavior>

Answer 1

It depends on other required policies. WCF does not support plain SupportingToken but if you use HTTPS and UserNameToken with no other special requirements your binding should work. It produces policy with SignedSupportingToken in WSDL instead but because there is no other message security and because HTTPS is used, you will have no signature in the message but "signed" requirement will be fulfilled by transport (HTTPS).