Identity Delegation Doubt
- Hi,
I am having some doubts with the Identity Delegation Sample that comes with the geneva framework. I warn you that I am not an expert in WCF (I have very basic knowledge), which probably it is generating me some troubles.
As I see when the user browses to the WFE (web front end), it is redirected to the passive STS who authenticates the user by windows authentication and give him the signed token. With that the user goes back to the WFE where he wants to invoke the service 2. For that WFE needs to send the user's claims to service 2, here is where identity delegation takes place. The WFE needs to authenticate with an IP (identity provider, also an STS) that the service 2 trust. For this it uses WSTrust to comunicate with the "STS" (an active STS), sending the user's bootstrap token in order to create the token with the claims of both, the user and WFE. The "STS" authenticates WFE by windows authentication and generates the corresponding token, which finally it is used by WFE to invoke service 2.
The questions are:
1) WFE sends the token that was issued by the passive sts an delivered by the user to the "STS" (the active STS). WFE previously decrypts the token? Because the passive sts needs to have access to the claims in that token.
2) I cant find a place where this is explained step by step, specially the configuration as, at least for me, it is quite complex. Can you tell me from where I can get any information so I can understand how this sample is configured.
3) The "STS" is authenticating the WFE by windows authentication, I would like to know how can I do if I want the "STS" to authenticate the WFE with certificates or username/password. As I dont understand the configuration, I dont even know where to start :(
4) I think that in this sample the service proxy was generated with svcutil, and the channel factory that is used to create the channel acting as uses this proxy. Can I add the service as a service reference, as it is quicker to update the proxy when the service is constantly changing. Can you please explain me how to do it in this way.
I would REALLY appreciate your help as I am working in a project for the University that uses all this stuff and I am quite stucked.
Thank you in advance.
Regards,
Juan Andrés
All Replies
1) WFE sends the token that was issued by the passive sts an delivered by the user to the "STS" (the active STS). WFE previously decrypts the token? Because the passive sts needs to have access to the claims in that token.
WFE is consuming the token issued by PassiveSTS and passing it along in a new token request to STS. There is no direct communication between the user and STS in this scenario. WFE is acting as proxy between the two.
2) I cant find a place where this is explained step by step, specially the configuration as, at least for me, it is quite complex. Can you tell me from where I can get any information so I can understand how this sample is configured.
Shiung posted a nice and succinct explanation of a general ActAs scenario in another thread. I've copied it here, with the roles replaced:1. Client authenticates to WFE using some token, T1, issued by PassiveSTS
2. WFE authenticates to STS with its own token, T2, presenting T1 in the RST body as an ActAs element.
3. STS issues a token, T3, containing claims based on both T1 and T2.
4. WFE presents T3 to Service2, hence 'acting as the client', Service2 can see both sets of claims.
3) The "STS" is authenticating the WFE by windows authentication, I would like to know how can I do if I want the "STS" to authenticate the WFE with certificates or username/password. As I dont understand the configuration, I dont even know where to start :(
This is more of a WCF question, for that I'd refer you to MSDN docs, but in the meantime take a look at GetSTSBinding() in the STS and take a look at the ws2007HttpBinding element in WFE's Web.config.
4) I think that in this sample the service proxy was generated with svcutil, and the channel factory that is used to create the channel acting as uses this proxy. Can I add the service as a service reference, as it is quicker to update the proxy when the service is constantly changing. Can you please explain me how to do it in this way.
Yes. The svcutil-generated content inside WFE shouldn't have a dependancy on how you create your channel, which in this case you're doing by calling CreateChannelActingAs() instead of the vanilla CreateChannel(). ActAs doesn't inhibit you from updating your service reference.
Hope that helps clear things up.- Thanks for the quick response!
I have some questions regarding to my previous questions 2, 3 and 4.
2) Thanks for the explanation of how the ActAs scenario works. The theory I understand it, what I dont understand is the implementation. Do you know some place where it is explained step by step the implementation with geneva framework and WCF.
Specially the configuration, as it has a lot WFE's web.config that I dont understand. Also I would like to know if all the binding configuration that is done by code in STS can be done in a configuration file (App.config). If it is possible, how?
3) About changing the authentication to user/password, I have made some changes in the GetSTSBinding(). I have configured to use user/pass as the authentication mode and I have implemented a custom UserNameSecurityTokenHandler.
My question is, where should I put the WFE's credentials? In the factory that creates the channel to communicate with service 2?
I tried doing that and when I run STS it says something that the host failed to open because the service has no certificate specified. Why?
4) I think that you missunderstood me, what I want to do is to add the service reference without explicitly creating the proxy with svcutil.
When I do this, when I want to use the service I simply do "ServiceProxy client = new serviceProxy()" and thats all. How do I do this in an ActAs scenario.
Thanks in advance,
Juan Andrés 2) In the Identity Developer Training Kit there's a scenario called "Exercise 4: Invoking a WCF Service on the Backend via Delegated Access" under "Web Services and Identity" section. It has some step by step setup implementation instructions that might be what you're looking for.
You can grab it from here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0
Also, the SecurityTokenServiceConfiguration stuff done in the STS sample project must be done in code.3) Username/password makes sense to authenticate a user to the proxy service (WFE), but I'm not sure this is a practical way of authenticating the proxy service to the backend (Service2).
4) I'm not sure what you mean when you say "add the service reference without explicitly creating the proxy". Do you mean removing WFE from the scenario and having the client contact Service2 directly? Because if so I don't think ActAs would be necessary. Could you give us a specific example to illustrate what you mean?
