Securing WCF Service Call Between Server Applications with Federated Security

Question

I've got two MVC sites that use the same STS for authentication. I need to create a WCF service as part of one of the sites that allows the other site to retrieve data.

These sites could be on different machines accessible over the internet (although currently they're on the same machine) and the WCF service should only be able to be accessed from the client site. The authentication token used to log into the client site should be passed through to the WCF service.

I've been looking at the different WS-Security options available (Transport, Message etc) and it's not quite sinking in 100%, and I feel like I'd end up implementing something that seemed secure but wasn't actually secure due to a lack of understanding. Any help much appreciated.

Edit:

My first attempt was with transport layer security and setting the WCF service virtual directory with require SSL in IIS. However that left me with an error of:

"The remote certificate is invalid according to the validation procedure."

And I had no way of ensuring that a specific client was connecting to the service, only that a client had a certificate from a trusted CA. At least as far as I know. I'm probably missing something vital here.

Answer 1

The authentication token used to log into the client site should be passed through to the WCF service.

In this case you should be requesting an "ActAs" token from the STS:

1. The WCF service should be configured as a Relying Party of the STS.
2. The MVC site should call back to the STS and request an ActAs token specific to the WCF service.
3. The MVC site uses the ActAs token to call the service.

The motivation for the complexity: Delegation, or traversing multilayer architectures

Since you mentioned WS standards: Requesting Delegation (ActAs) Tokens using WSTrustChannel (as opposed to Configuration Madness)

Not knowing your STS its hard to say more, but Googling "ActAs token" will probably give you what you need.