In the blog posts 1 & 2, we went over how a Workflow application can pass credentials to the LOB activities. While the mechanisms suggested work when the credentials originate from the application in question, a different approach is required when the credentials originate somewhere else. Consider a WCF service that’s implemented as a Workflow and uses the LOB activities to interact with the backend LOBs. The client of this service passes the credentials to the service which then needs to relay them to the LOB activities. In this post, we will go over one approach to handle this scenario.  We will limit the scenario to the credentials being flown as Username/Password.


The approach makes use of the extensibility provided by WCF to hook in a custom SecurityTokenAuthenticator. The authenticator will extract the username/password and stuff it into the OperationContext. It does so by adding a claim-set in an authorization policy. Subsequently a custom ClientCredentials endpoint behavior will be used to extract it from the OperationContext and populate the UserName that will then be used by the underlying WCF LOB adapter to authenticate with the LOB.


Here’s a more detailed explanation of the approach. Please note that the main intention of the attached code is to illustrate the approach and the emphasis is not on making the code efficient/robust.  


Extracting the username/password and associating it with the OperationContext

  • A custom ServiceCredentials service behavior (MyServiceCredentials in the attached code) is added
  • The above service behavior will create a SecurityTokenManager (MySecurityTokenManager in the attached code)
  • The above security token manager will create a SecurityTokenAuthenticator (MySecurityTokenAuthenticator in the attached code)
  • When the security token authenticator is called to validate the username/password, it will
    • Create a custom claim that contains the username/password
    • Create a claim-set containing the above claim
    • Create an authorization policy containing the above claim set
    • Return a list containing the above policy

Extracting the username/password from the OperationContext and populating ClientCredentials.UserName

  • A custom ClientCredentials endpoint behavior (MyClientCredentials in the attached code) is added to the endpoint used by the LOB activity
  • When the above behavior gets instantiated, it will Look up the authorization context from the current OperationContext’s ServiceSecurityContext
    • Walk the list of claim-sets associated looking for the custom claim
    • When found, it will extract the username/password from that claim and populate the UserName property

Sandeep Prabhu