ActAs vs. OnBehalfOf

Question

Could someone please explain to me the difference between the ActAs and OnBehalfOf properties on FederatedClientCredentialsParameters, or the CreateChannelActingAs and CreateChannelOnBehalfOf methods on ChannelFactory<T>?

Thanks,
Scott

Answer 1

<Post deleted, please see my latest response below>

 

Answer 2

Hi Shiung,

I am not clear about the step 3 of "ActAs" scenario. It says that "STS issues a token, T3, containing claims based on both T1 and T2.". So what is the format of T3 ? If it is a SAML Token, how are we going to represent the claims of both T2 and T3. Is there any standard or specification about the format of these tokens ?, otherwise interoperability might be a nightmare in this scenario.

Thanks.
/thilina

Answer 3

The wire format of how delegated claims are represented is not yet standardized. WIF will serialize the entire contents of a actor identity into a string, which gets escaped and written out inside a "Actor" claim (as a Saml Attribute). If WIF is on the deserializing end, then the delegation chain is accessible via IClaimsIdentity.Actor, which is itself an IClaimsIdentity. This allows support for multi-level delegation.

Answer 4

Other STS products use OBO to solve the first scenario rather than ActAs.  Why use ActAs instead of OBO?  Is it because OBO doesn't give you information about the delegate, only the subject, thus, making it impersonation whereas ActAs is delegation?  By using ActAs for the first scenario rather than OBO, the issuer has more information (e.g., the path the subject has taken to access the RP) to determine what claims to issue.  Correct?

---

Regards,

Travis Spencer
http://travisspencer.com

Answer 5

That is correct. The key difference between the two is information about the middle tier services, or impersonation vs delegation.

The scenarios I described above were meant to serve as examples. However, I just noticed that a search for "actas" and "onbehalfof" in the same query on any search engine now yields this forum post as a first hit. It's best if I provide the latest guidance from WIF. You will find this information in our latest documentation as well.

An ActAs RST element indicates that the requestor wants a token that contains claims about two distinct entities: the requestor, and an external entity represented by the token in the ActAs element.

An OnBehalfOf RST element indicates that the requestor wants a token that contains claims only about one entity: the external entity represented by the token in the OnBehalfOf element.

In short, ActAs feature is typically used in scenarios that require composite delegation, where the final recipient of the issued token can inspect the entire delegation chain and see not just the client, but all intermediaries to perform access control, auditing and other related activities based on the whole identity delegation chain. The ActAs feature is commonly used in multi-tiered systems to authenticate and pass information about identities between the tiers without having to pass this information at the application/business logic layer.

OnBehalfOf feature is used in scenarios where only the identity of the original client is important and is effectively the same as identity impersonation feature available in the Windows OS today. When the OnBehalfOf is used the final recipient of the issued token can only see claims about the original client, and the information about intermediaries is not preserved. One common pattern where OnBehalfOf feature is used is the proxy pattern where the client cannot access the STS directly but is instead communicating through a proxy gateway. The proxy gateway authenticates the caller and puts information about him into the OnBehalfOf element of the RST message that it then sends to the real STS for processing. The resulting token is going to contain only claims related to the client of the proxy, making the proxy completely transparent and not visible to the receiver of the issued token.