Pablo described here
a way to configure federation over TCP. In his approach he gets a SAML token
from STS and then uses that token to get a security context token which will be
used to provide actual message security throughout the session.
As message security only works in a buffered mode, so his approach
is not suitable for a TCP streaming scenario. To enable federation along with
TCP streaming you have to use mixed mode security (TransportWithMessageCredential)
over TCP. Let’s consider following binding which uses mixed mode
security.
<netTcpBinding>
<binding name="tcp" transferMode="Streamed">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="IssuedToken"/>
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</netTcpBinding>
Now the trouble is that there is no way to configure STS
settings in this binding configuration so your only choice is to mimic the above
settings in a custom binding.
<wsHttpBinding>
<binding name="simpTransport">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
<customBinding>
<binding name="tcp">
<security authenticationMode="SecureConversation">
<secureConversationBootstrap authenticationMode="IssuedTokenOverTransport">
<issuedTokenParameters>
<issuer address="https://localhost:9000/STS" binding="wsHttpBinding" bindingConfiguration="simpTransport"/>
</issuedTokenParameters>
</secureConversationBootstrap>
</security>
<windowsStreamSecurity/>
<tcpTransport transferMode="Streamed" />
</binding>
</customBinding>