none
How to get a passthorugh claim from ACS

    คำถาม

  • My application (Relying Party) uses ACS for authentication. I want to send one unique identifier as a input claim from the application and get it back as is at the time of authentication.

    Checked Rule Groups and saw there is option for passthrough claims. Not sure of how to send an input claim with a value which comes back as is.

    Is there any way to do this?

    Thanks,

    Piyush

    24 กุมภาพันธ์ 2555 14:36

คำตอบ

  • If I understand you correctly, you want to pass data from the RP to ACS, then after the identity provider is logged in you want that data returned to your RP? This is the purpose of the wctx parameter in WS-Federation, or context if you're using HRD metadata (identityproviders.js). Any value you add to wctx is returned to the RP after the user logs in, so simply stick your VendorId in there.

    Notably, though, wctx passes through the user's browser as a request parameter and is not signed. This means that the VendorId cannot be secure, and could be changed by a malicious user.

    • ทำเครื่องหมายเป็นคำตอบโดย MingXu-MSFTMicrosoft 2 มีนาคม 2555 8:32
    28 กุมภาพันธ์ 2555 2:12
  • You can certainly use an RP-STS to solve this issue, provided the RP-STS knows the VendorId. ACS doesn't provide a mechanism for the RP to send it data other than through the user's browser, so you really don't have any other options if the value needs to be secure.
    • ทำเครื่องหมายเป็นคำตอบโดย MingXu-MSFTMicrosoft 2 มีนาคม 2555 8:32
    29 กุมภาพันธ์ 2555 0:10

ตอบทั้งหมด

  • There are essentially two types of passthrough rules:

    1. Pass through all claims of any type.
    2. Pass through all claims of type X

    It sounds like you want #2. When you do this, the claim value is maintained in the outgoing token, and you can either maintain the claim type as it was or map it to a new one.

    • เสนอเป็นคำตอบโดย Oren MelzerMicrosoft 24 กุมภาพันธ์ 2555 21:23
    • ยกเลิกการนำเสนอเป็นคำตอบโดย Oren MelzerMicrosoft 28 กุมภาพันธ์ 2555 2:07
    24 กุมภาพันธ์ 2555 21:23
  • Hi Oren,

    Thanks for the reply.

    I know that pass through rules for x type of claims can be created. My problem is how to set value of x type of claim and send it as input claim from the relying party.

    For example:
    The Windows live, goolge and yahoo are configured as IDPs in ACS for the relying party application. Now when federated authentication is configured in relying party application there are some input claims(Role, Name, NameIdentifier, IndentityProvider) in the web.config file. 

    I need a claim "VendorId" which will contain a GUID. So how do I set value of the "VendorId" claim in the relying party application and send it to ACS.


    27 กุมภาพันธ์ 2555 5:12
  • If I understand you correctly, you want to pass data from the RP to ACS, then after the identity provider is logged in you want that data returned to your RP? This is the purpose of the wctx parameter in WS-Federation, or context if you're using HRD metadata (identityproviders.js). Any value you add to wctx is returned to the RP after the user logs in, so simply stick your VendorId in there.

    Notably, though, wctx passes through the user's browser as a request parameter and is not signed. This means that the VendorId cannot be secure, and could be changed by a malicious user.

    • ทำเครื่องหมายเป็นคำตอบโดย MingXu-MSFTMicrosoft 2 มีนาคม 2555 8:32
    28 กุมภาพันธ์ 2555 2:12
  • Yes you are correct I want pass vendorId from RP to ACS and after login want it back.

    Like you mentioned sending data using wctx or context won't be secure.

    Not sure but how about creating a R-STS which comes in middle of ACS and RP. I can then play with additional claims before sending data to ACS or RP.

    Trust:

    R-STS will be relying party of ACS.

    RP will be relying party of R-STS.

    Request will go like this:

    RP -- R-STS -- ACS 

    Response flow will be:

    ACS -- R-STS -- RP


    28 กุมภาพันธ์ 2555 10:34
  • You can certainly use an RP-STS to solve this issue, provided the RP-STS knows the VendorId. ACS doesn't provide a mechanism for the RP to send it data other than through the user's browser, so you really don't have any other options if the value needs to be secure.
    • ทำเครื่องหมายเป็นคำตอบโดย MingXu-MSFTMicrosoft 2 มีนาคม 2555 8:32
    29 กุมภาพันธ์ 2555 0:10
  • Hi Oren,

    Sorry for late response as I was away. I will create a RP-STS which knows VendorId as its the only secure way to solve the issue.

    Thanks a lot for the help!

    -Piyush




    • แก้ไขโดย Piyush Thacker 12 มีนาคม 2555 14:11
    12 มีนาคม 2555 13:13