Identity Training Kit Lab - Question about ActAs

Question

In the identity training kit lab, the WeatherStation sample uses delegation to pass the token to the satellite service. I am able to follow the code here, but I dont understanding the binding.

  <binding name="FederationBinding">
          <security authenticationMode="IssuedToken" 
                    messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
            <issuedTokenParameters keyType="SymmetricKey"
                                   tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
              <issuer address="https://localhost/ActAsStsEx04/Issue.svc/windows_over_transport"
                      binding="ws2007HttpBinding"
                      bindingConfiguration="IssuedTokenBinding">
              </issuer>
              <issuerMetadata address="https://localhost/ActAsStsEx04/Issue.svc/windows_over_transport/mex"/>
            </issuedTokenParameters>
          </security>
          <httpTransport/>
        </binding>

This binding tells me that the endpoint is secured by an Issued token (a SAMLv1.1 token) from the STS endpoint located at https://localhost/ActAsStsEx04/Issue.svc/windows_over_transport.  The binding configuration

<ws2007HttpBinding>
        <binding name="IssuedTokenBinding">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Windows" establishSecurityContext="false" />
          </security>
        </binding>
      </ws2007HttpBinding>

Why is the binding using Windows credentials?  The STS issues tokens based on Username/password, right?

Next question:  Do you have to have 2 STSes to do delegation?  Could the same STS be used to issue the original token, and the delegated token?  In all the examples, there is always an "ActAs" sts.  Can they be combined?  The SecurityTokenHandler that accepts the saml token are asigned to the  ActAs key in the handlers collection, which I imply to mean that they are only involed with a delegated RST is received.

Answer 1

I don't know the training kit - but you can definitely combine a "normal" STS and ActAs support-

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

I figured out whats going on in the lab.  The service is defended by an issued token from the ActAs STS.  But the ActAsSTS is also a service, and in the above case its being defended by Kerbros.  Which means (I believe) that The RP will pass their windows cred to the STS.  The STS will treat this as the identity of the caller, but produce a token which has the ActAs identity as the primary identity and the caller's identity as the token's delegate.