The Windows Communication Foundation (WCF) authentication service enables you to use ASP.NET membership to authenticate users from any application that can send and consume a SOAP message. This can include applications that do not use the .NET Framework. Users of these different applications therefore do not need separate credentials for each application. Users can provide the same credentials when they use any one of the client applications, and be logged in to the application from all of them.
This topic contains the following sections:
You access the authentication service as a WCF service when you have to authenticate users by using ASP.NET membership from an application that is not an ASP.NET Web application. This can include a console application, a Windows Forms application, or an application that is not developed with the .NET Framework. The application must be able to send and consume a SOAP message.
To use the service, you pass the user’s credentials to the authentication service, which validates the credentials by using ASP.NET membership. By default, the authentication service validates the user name and password by passing them to the default membership provider.
When the user has been authenticated, the ASP.NET authentication service issues an authentication ticket as an HTTP cookie that is compatible with ASP.NET forms authentication. In subsequent requests, the ticket is passed to the Web application so that the user does not have to provide credentials every time.
The authentication service does not support embedding the authentication ticket in the URL. Therefore, cookies must be enabled in the client to retain the authentication ticket.
Authenticating with Custom Credentials
You can add custom credentials in an authentication request when you have to validate the user by using information in addition to a name and password, such as an identification number. To include additional information for authentication, you pass the customized credentials in the CustomCredential parameter when you call the login method of the authentication service. You then create an event handler for the Authenticating event. In the handler, you can read the credentials and validate them yourself. For more information, seeHow to: Customize User Login When Using the WCF Authentication Service.
Authenticating with a Custom Membership Provider
Never store the user’s password or other sensitive data in the ticket.