7
votes

I am curious to find out how we could possibly send a Security token from a WIF application that has already been authenticate to a WIF enabled WCF Service.

Any assistance will be appriciated

3
I was hoping you would get an answer to this. It is the default design: Web App -> WCF service. .Net devs are encouraged to utilise WIF but the implemtation suggestions I am seeing are no way prescripitive.David Evans

3 Answers

6
votes

The answer is not simple but the following steps constitute the 'recommended pattern' and are documented in the following MSDN article: Identity Delegation with AD FS 2.0 Step-by-Step Guide

In summary

  1. Allow you web application access to a special token (Bootstrap Token) that can be used to request services on behalf of the user who has authenticated using an STS by adding an item in the web.config:

    saveBootstrapTokens="true"

  2. Create a new trust between the WCF WIF enabled service and the STS so it 'knows' that that service can act as another authenticated user (ActsAS). Hopefully, you are using ADFS v2 as I imagine writing all the plumbing for a custom STS with ActsAs behaviour is not trivial.

  3. When calling the WCF service you create a new channel specifically passing the BootStap token:

    channel = factory.CreateChannelActingAs(callerToken);

I am a little concerned about performance due to all of the channel creation and how much the WCF services and the web app needs to talk to the STS service.

0
votes

@David Evans - I don't have the reputation to append to your answer. However, I believe the last step is incorrect and could be very confusing as you can validly pass the bootstrap token in the ActingAs call.

The problem is that you state that you should pass the bootstrap token. However, what happens is that in the process of establishing ActAs trust, an ActAs\Issued Token is created. This token is not the bootstrap token. In fact, you need the user's bootstrap token to create this new token, which represent the relying partying Acting As the particular authenticated user.

So step two would be Create ActAs token (which involves everything you mention). And step three would be call the WCF service using the ActAs token, not the bootstrap token.

0
votes

Microsoft provides an Identity Traningskit with different identity examples, using WIF 4.5. The example InvokingViaDelegatedAccess in there demonstrates perfectly the usage of the ActAs- delegation scenario. However, it cost me days to bring theInvokingViaDelegatedAccess` Example Up and Running. After doing a lot of workarounds, i was finally able to run the setup and execute this example. I have written a installation manual that you can download here:

enter link description here Enjoy ))

The example however is running on a Windows 7 VM having Visual Studio 2012 installed.

It is correct, that you have to save the bootstrap token. After login to your Webapplication, you have to cache the token that was issued from the SecurityTokenService first. Using WIF 4.5 this can be done with the following command in the web.config:

<identityConfiguration saveBootstrapContext="true">

The WCF ChannelFactory has then different methods (CreateChannelWithActAsToken, CreateChannelWithIssuedToken, WithOnBehalfOfToken) supporting delegation scenarios from a backend application to a WCF Service. Using the ActAs scenario, CreateChannelWithActAsToken is extracting the bootstrap token, sents the bootsrap token to an STS, the STS is creating a new SecurityToken with new (or copied) claim values, then the backend service is called using the ActAs- SecurityToken. Using this method, a new ActAs- SecurityToken will be Issued everytime you call the service. If you dont whant this, CreateChannelWithIssuedToken may be the bether method for you, because you can then cache the issed token in a cookie and re-use it for other calls.

/patric seiler, developer .net www.itconsulting24.com