Authentication when using Security Token Service

Alex Marshall picture Alex Marshall · May 10, 2011 · Viewed 17.4k times · Source

I have created a Security Token Service (STS), an service with a reference to the STS and an example desktop application.

This works as expected when using Windows authentication and Message security, a token is retrieved from the STS and the service method is called successfully. The service returns a string containing the current users identity, which returns my AD username.

I have a requirement however to authenticate against a database rather than AD. I have tried creating a CustomUserNameValidator (in the STS, is this the correct place?) and referencing it in the web.config. I then provide the credentials as shown below.

SampleServiceReference.SampleServiceClient client = new SampleServiceReference.SampleServiceClient(); client.ClientCredentials.UserName.UserName = "alex"; client.ClientCredentials.UserName.Password = "pass";

I believe the certificates are set up correctly (all using 'localhost'), however I receive the following exception when calling the service:

System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.

Whatever I try seems to fail. Is what I am describing even possible? Does the service client also pass the client credentials through to the STS, or am I completely misunderstanding what is happening here?

This stackoverflow question is similar, however I have checked the audience URL and it seems ok. WIF STS ID3242

Has anyone got any advice on how I can achieve custom authentication when using a STS?

Answer

Eugenio Pace picture Eugenio Pace · May 12, 2011

There's a simple example of what you need here: http://claimsid.codeplex.com

Look at either sample 8 or 4.

Small clarification though. The username/password authentication is on the STS, not on your service. Your service will authenticate with a security token obtained from the STS.