Need to pass additional value to UserNameSecurityToken in STS from client application

0
votes

I have incorporate security into my wcf service using wif. Below my high level design.

  1. Wif sts application - Here i have used custom username security token handler for validate the usename & passsword
  2. Wcf service - list of services
  3. Web application -> where i consumed the wcf service.

STS custom username security token handler as follows:

public class CustomUserNameSecurityTokenHandler : UserNameSecurityTokenHandler
{
    public override Microsoft.IdentityModel.Claims.ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken token)
    {
        UserNameSecurityToken userNameToken = token as UserNameSecurityToken;
        CredentialStore.AuthenticateUser(userNameToken.username, userNameToken.Password);

        // ...
    }
}

Code to consume the wcf service from web application

ClientCredentials oldCredentials = client.Endpoint.Behaviors.Remove<ClientCredentials>();
CachedClientCredentials newCredentials = new CachedClientCredentials(_tokenCache, oldCredentials);

client.Endpoint.Behaviors.Add(newCredentials);

client.ClientCredentials.UserName.UserName = "Admin"
client.ClientCredentials.UserName.Password = "password";

client.Authenticate();

While consume the wcf service i am able to send the username and password to STS validateToken method for authenticate and my scenario is like i want to send one more value (current web site address) to validatetoken method from consume part. i have workaround to send the additional value part of username but that is not the good idea to do that.

So could you please help me to resolve my issue?

1
wif
Did you ever find a solution to this?Tommy Jakobsen

1 Answers

2
votes

An STS service that I have implemented requires a ClientID in addition to the username and password. I've solved this problem by adding custom elements into the security token request when initialising the service client. The STS service then reads out these values whilst authorizing the token and also passes back the ClientID in the claims.

// init client..
_serviceClient.ClientCredentials.UserName.UserName = Username;
_serviceClient.ClientCredentials.UserName.Password = Password;

var doc = new XmlDocument();
XmlElement customElement = doc.CreateElement("ExtraAuthData", Name, "http://localhost/STS/identity");
customElement.InnerText = Value;
(_serviceClient.Endpoint.Binding as WS2007FederationHttpBinding).Security.Message.TokenRequestParameters.Add(customElement);

Not sure if this is a recommended approach or not, I couldn't find any other way of doing this.