none
How to pass a SAML token from a web site to a backend WCF service

    Question

  • In my scenario there is a front-end asp.net Web site that uses ACS to log the user on. It then needs to talk to a WCF service and the identity needs to flow to the WCF service to be able to make authorization decisions. I've been reading the related threads and most of them are pointing to using WS-Trust ActAs to obtain a new token and pass that to the WCF service. ACS does not support WS-Trust ActAs. So, should I be using  a custom STS that supports ActAs?

    I have seen some other posts -assuming the Web site and the WCF service are within the same trust boundary - that suggest holding on to the bootstrap token in the asp.net web site and then using CreateChannelWithIssedToken to setup the WCF channel assuming the certs/keys used by both RPs are the same. I was not able to find a success story with this approach though. Issues around token being a bearer token, derived key token cannot derive key from secret, etc... Is this approach doable, is there a sample code that shows how to do this?

    Thursday, December 15, 2011 5:30 PM

Answers

All replies

  • Hi Gokmeng, Whether WCF service is getting invoked only by your website or is it going to be involved from outside too? If it is only from website, then why do you need to do multiple time authorization. You authorize only at Web site and pass that information directly to WCF service. Create a secured channel between your site and WCF service and allow request to WCF only from the website.
    Friday, December 16, 2011 4:03 AM
  • The WCF service needs the user identity/claims to be able to make authorization decisions. This information could be passed from the web site to the service as part of the interface contract once a secure channel is created. Is this what you are saying?

    Friday, December 16, 2011 5:44 AM
  • Hi,

    If that WCF fully trusts the ASP.NET application, ASP.NET app can pass identity data directly to WCF. A typical scenario is they are both written by you and maybe hosted by the same IIS..

    However in most cases this is not a secure solution as the intermediate ASP.NET app may send any identities to WCF without the awareness of the client.

    So I would still recommend using a custom STS to do this.

     


    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.



    Friday, December 16, 2011 9:59 AM
  • Hi,

    Thanks Allen. Are there any plans for ACS to support ActAs?

    BTW, while experimenting I also got the bearer token working in this scenario once I configured both RPs to use the same certs and configured WCF service to accept bearer tokens. 

     

    Saturday, December 17, 2011 2:30 PM
  • Hi,

    Thanks Allen. Are there any plans for ACS to support ActAs? 


    Unfortunately nothing can be disclosed on the forum. You'are appreciated to submit a feature request:

    http://www.mygreatwindowsazureidea.com/forums/34192-windows-azure-feature-voting

    The more customers have this requirement the more likely we may support it.


    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, December 19, 2011 1:48 AM