Using ACS with ServiceBus - claims not passed through to service host?

Question

This is the same problem as encountered here (with no resolution).  I'm running a WebServiceHost serving a ServiceBus URL (e.g. https://<name>.servicebus.windows.net) that is protected by ACS.  I can configure new issuers/rules for Listen and Send through AcmBrowser and connect no problem. The problem is I can't get "custom" claims to be accessible on the server side host - operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets is always empty, even though I can see my custom claims in the client-side token from ACS that is used to connect to the servicebus service.  Shouldn't those get passed through to my service implementation?

Answer 1

This seems to be by design. ServiceBus will not reveal the identity of the caller to the Service Host. If you need to authenticate the user at ServiceHost also then you need to sign the message with ClientCredentials and get it authenticated by the ServiceHost. So there will be two authentications one by ServiceBus and another done by your service.

---

Venkatesh Bhupathi

Answer 2

Try using REST based call to ACS from the client and post the SWT to service, other than using passive call. That will solve your problem.