none
WIF Active Federation Scenario RRS feed

  • Question

  • I am trying to use active federation in the following scenario:

    1 WIF STS

    2 WCF Relying Parties (let's call them A and B)

    1 WCF Client application (not web)

    I would like my client application to request a token, and then use it to make a call to a service at the relying party A.  So far, this works part works fine.  However, now I'd add a feature in RP A to call a service at RP B, without requesting a new token from the STS.

    I've attempted to add a custom Saml11SecurityTokenHandler to service A that will simply grab the incoming SamlSecurityToken object and attach it to the outgoing request to service B by using custom client credentials, manager, and provider.  However, this results in the following error while trying to call service B.  Any ideas on how to fix this issue or suggestions on a different strategy will be appreciated.  Thanks!

    EDIT: Diagram & Code samples added

    Code Sample: 

      https://gist.github.com/dotnetdan/e638c561c7fb606d32dc

    Exception details & Stack trace:

      https://gist.github.com/dotnetdan/b1baa2ddddecb6d11029





    Tuesday, May 27, 2014 4:34 PM

All replies

  • Hello,

    I move it to WCF forum for getting better help.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 28, 2014 1:56 AM
  • Hi,

    In my mind, a simple active federation scenario is illustrated in Figure 1. This scenario involves a Windows client application (the requestor), a WCF service (the relying party, or RP), and an STS belonging to the RP domain (RP-STS). As the figure shows, the client uses a WCF proxy to coordinate first authenticating to the RP-STS, then requesting a security token, and then calling the RP, passing the issued security token along with the request.

    Then for your question since you do not post the code here, please try to check if the following example can help you:
    #Active Federation with Windows Identity Foundation:
    http://www.ryanmwright.com/2011/09/09/active-federation-with-windows-identity-foundation/ .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 28, 2014 6:14 AM
    Moderator
  • Here is a diagram.  I currently have a custom built WIF STS, a client wcf application, and a front end wcf service.  It works fine using active federation.  Where I'm having trouble is getting the front end service to call the back end service, using the same token that it received from the client.


    I read the link you provided, but it doesn't seem to cover this particular scenario.  I haven't been able to find any articles or code samples describing this scenario actually.  The closest thing I've found was about using Identity Delegation with ADFS, but I am not using ADFS and unlike Identity Delegation I do not wish to retrieve a new token.

    Wednesday, May 28, 2014 2:59 PM
  • I've added a link to the samples of the code we are using in the original question, and added the diagram there too.
    Wednesday, May 28, 2014 4:17 PM
  • After re-reading about Identity Delegation for ADFS, I'm starting to see that this would be an alternate way to handle my situation.  It does require an extra call to the STS from the front end service, and it would require me to update my STS to handle ACTAS tokens.  Can someone please verify if the scenario I illustrated in my diagram is even valid?  I don't know if ACTAS tokens are the only valid way to handle this scenario or not.
    Wednesday, May 28, 2014 8:52 PM