ACS "Passive-Active" scenario and an ASP.NET MVC WebAPI REST service


  • I'm completely new to ACS, Windows Identity Foundation, and ASP.NET MVC WebAPI in general, I've been playing around with it to try to figure some things out. I've written a simple ASP.NET MVC WebAPI REST service at that, when accessed via GET, just returns the user's claims. I've set up ACS as the FP for the service using the "Add STS Reference" in VS, and configured the application as an RP in the ACS management portal.

    While I can test this works in a browser, it's really a web service, so I would expect to consume it with non-browser applications (thick client, mobile, js application, etc.).

    Since I configured Google as an IdP, I've studied some of the "passive-active" samples for doing this in, say, a mobile application (for example, the WIF training kit has the ACS and Windows Phone 7 example for a scenario much like this). Basically, the "passive-active" scenarios rely on telling ACS to use a "javascriptnotify" "protocol" (as opposed to WS-Federation) to raise a javascript event on an embedded browser control, allowing the client to grab the token returned from ACS.

    I've successfully created a WPF client that does the above, I can see the contents of my ACS token... my question is, how do I take the ACS token I've retrieved and pass it to my REST service? Several of the tutorials, labs, and walkthroughs on MSDN have several different ways of passing the token in the Authorization header when making a call to my REST endpoint. All the examples I've seen use SWT tokens, but what if I've configured ACS to return a SAML token? I'm just making an HTTP REST call, so presumably I just need to pass the token in the "Authorization" header when I make my REST call, but nothing seems to work (I get the standard ACS 302 redirect to the ACS sign in page).

    Tuesday, May 22, 2012 3:36 AM