Securing UserName Enpoint by UserName + Cert

Apr 24, 2008 at 4:22 PM
I'd like to implement a security policy that requests for issuance of a token using username creds are restricted from trusted servers.

That is, I'd like to restrict the STS from accepting requests that use username creds unless those requests are made from a trusted source.

Here's the scenario I'd like to enforce:
User calls the ISSUE operation, hitting the username endpoint on the sts server and supplying proper U/P creds.
The source of the call is from a trusted server (presents a 509 cert that is in the trusted store on the sts server), so the token is issued.

The same user makes the same call from a client who is untrusted (presented cert does not exist in the sts server).
The requests fails the wcf security policy, and returns an exception.

Its a combination of mutual cert + username authentication. Is this possible?
Coordinator
Apr 24, 2008 at 6:01 PM
Basically no. Remember the user doesn't hit the issue operation, the identity selector does; and the standard supports 4 authentication types; username & password, self issued card, certificate and kerberos. Even if you changed the authentication details on an endpoint a selector wouldn't know what to do.
Apr 24, 2008 at 8:39 PM
Edited Apr 24, 2008 at 8:39 PM
Assuming I wasn't using Cardspace as a selector, and I just sent in an RST message, how could I configure the WCF endpoint to require both authentication creds (U/P and cert)?

Sorry if this is an elementary WCF question, but I've been struggling with this for some time.

Developer
Apr 25, 2008 at 6:01 AM
You could use the approach described here:

http://www.leastprivilege.com/UserNameSupportingTokenInWCF.aspx

This is how it generally works in WCF - the other approach would be to write a custom credential type that combines two standard credential types. The docs on this are rather sketchy though.