WCF and Identity in .NET 4.5: Overview

Since every principal is derived from ClaimsPrincipal in .NET 4.5 all the higher level frameworks simply get “claims for free” – including ASP.NET and WCF.

Generally speaking there are two new settings in WCF that you care about when you want to work with (claims-based) identity.

WCF in 4.5 can operate in two modes: “classic” and “WIF” (not the official names). In classic modes everything works like in pre-4.5 WCF (besides that the principals and identities derive from the claims base classes).

In “WIF” mode, the security token handler pipeline we know (and love) from WIF is used – this also includes things like ClaimsAuthenticationManager and ClaimsAuthorizationManager. This is equivalent to calling FederatedServiceCredentials.ConfigureServiceHost() in WIF.

You choose between the two modes by setting the UseIdentityConfiguration property on the ServiceCredentials behavior. This tells WCF to get its token handling configuration from the <system.identityModel> configuration section. Internally this replaces the standard ServiceCredentials with FederatedServiceCredentials (like in WIF).

WCF’ usage of IPrincipal and Thread.CurrentPrincipal was always weird (and just wrong as it turns out) to start with. Without going into details – there is a new principal permission mode called Always. It is called always – because you should always use it ;)

What Always does is, it always sets Thread.CurrentPrincipal to the client’s claims-based identity.


In the next posts I will go through some common (and sensible) scenarios for WCF and show how you deal with identity.

This entry was posted in IdentityModel, WCF. Bookmark the permalink.

4 Responses to WCF and Identity in .NET 4.5: Overview

  1. Pingback: WCF and Identity in .NET 4.5: Windows Authentication | www.leastprivilege.com

  2. Pingback: WCF and Identity in .NET 4.5: UserName/Password Authentication | www.leastprivilege.com

  3. Pingback: WCF and Identity in .NET 4.5: Client Certificate Authentication | www.leastprivilege.com

  4. Pingback: WCF and Identity in .NET 4.5: External Authentication with WS-Trust | www.leastprivilege.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s