Remove From My Forums

How to create Custom SecurityToken on server side

Question
0

Sign in to vote

How to create custom security token on server side? provide it to client from method call?
ajit

Monday, January 3, 2011 7:00 PM

Answers

0

Sign in to vote
When using WSTrustChannelFactory from WIF you can include arbitrary information in the RST. There's also a sample in the SDK.

If you wanna go the custom WCF service way - you have to populate a SecurityTokenDescriptor class and pass that to the SamlxxSecurityTokenHandler's CreateToken method.

But i can tell you that this is not trivial - when you want to use the token for back-end WCF services you also have to deal with proof keys e.g.

Dominick Baier | thinktecture | http://www.leastprivilege.com
- Marked as answer by chintapali Tuesday, January 4, 2011 6:50 PM
Tuesday, January 4, 2011 1:55 PM

All replies

0

Sign in to vote

Are you trying to write an entire custom Security Token Service (STS)?

If so, then refer to this (which is still valid for the released version of WIF):

http://blogs.msdn.com/b/vbertocci/archive/2008/11/26/an-identity-provider-and-its-sts-writing-a-custom-sts-with-the-october-beta-of-the-geneva-framework.aspx

and this:

http://blogs.msdn.com/b/vbertocci/archive/2008/11/26/an-identity-provider-and-its-sts-preliminary-considerations.aspx

If you aren't writing an STS, then give me some more details and I'll get you an answer.

Richard Costleigh [SDET2, MS]

Monday, January 3, 2011 7:12 PM
0

Sign in to vote

No I am not considering custom STS.

I want to return encrypted security token to client from server and then send that security token to different server and use it on that server(2nd server will have the same certificate) I dont want client to be able to read or modify the token contents

ajit

Monday, January 3, 2011 7:33 PM
0

Sign in to vote

But thats exactly what an STS is doing. In fact that is much simpler as handcrafting your own SAML tokens.

Have a look at the SDK - it contains a simple STS. Or have a look here: http://startersts.codeplex.com

Dominick Baier | thinktecture | http://www.leastprivilege.com

Tuesday, January 4, 2011 12:43 PM
0

Sign in to vote

Yes I did look at it but I want to have more control over the token generated based on information supplied by client. I could not figure out a way to include these details the request.

ajit

Tuesday, January 4, 2011 1:47 PM
0

Sign in to vote
When using WSTrustChannelFactory from WIF you can include arbitrary information in the RST. There's also a sample in the SDK.

If you wanna go the custom WCF service way - you have to populate a SecurityTokenDescriptor class and pass that to the SamlxxSecurityTokenHandler's CreateToken method.

But i can tell you that this is not trivial - when you want to use the token for back-end WCF services you also have to deal with proof keys e.g.

Dominick Baier | thinktecture | http://www.leastprivilege.com
- Marked as answer by chintapali Tuesday, January 4, 2011 6:50 PM
Tuesday, January 4, 2011 1:55 PM

Answered by:

How to create Custom SecurityToken on server side

Question

Answers

All replies