As I understand it, to implement an STS I have to use a wsFederationBinding, and that only supports a request/reply message pattern. Is that right If that is so, how do I federate with a duplex message pattern

Say I implement a trusted facade that exposes a login operation on a wsFederation binding to create the saml token and put the main service operations on a netTcpBinding. I assume the two endpoints will not share a common security context so the returned saml token won't be any good - yes

Re: Windows Communication Foundation (Indigo) Duplex federation

Todd West

You're correct the two endpoints will not share a common security context, but STSes do not have to use WSFederationHttpBinding.  If you want WCFs clients to automatically contact an STS to obtain an issued token you should use a binding whose message security authentication mode is IssuedToken (not generally recommended as there's no server authentication with this mode), IssuedTokenForCertificate, IssuedTokenForSslNegotiated, or IssuedTokenOverTransport.  That binding can be WSFederationHttpBinding, a CustomBinding, or WSHttpBinding, WSDualHttpBinding, or NetTcpBinding with Security.Message.ClientCredentialType.IssuedToken.  If you use WSHttpBinding, WSDualHttpBinding or NetTcpBinding in this configuration you'll need to integrate with CardSpace.

Re: Windows Communication Foundation (Indigo) Duplex federation


That's clear thanks.

I recall seeing other threads covering this, but could you quickly tell me this. Can I avoid CardSpace by having a login operation on an http endpoint with a WsFederationBinding that creates a durable SAML token I can use on operations on another tcp endpoint with a NetTcpBinding


Re: Windows Communication Foundation (Indigo) Duplex federation

Todd West

No; NetTcpBinding's issued token support always integrates with CardSpace.  To use a tcp transport with a durable issued token provider you'll want a binding like



    <security authenticationMode="SecureConversation" requireCancellation="true">

      <secureConversationBootstrap authenticationMode="IssuedTokenForSslNegotiated" />


    <binaryMessageEncoding />

    <tcpTransport />



or the code equivalent thereof.  Note that the durable issued token provider sample won't work out of the box with a bootstrap authentication mode of IssuedToken, though you probably don't want to use that mode since doesn't perform server authentication.