none
Identity Delegation Doubt RRS feed

  • Pregunta

  • Hi,

    I am having some doubts with the Identity Delegation Sample that comes with the geneva framework. I warn you that I am not an expert in WCF (I have very basic knowledge), which probably it is generating me some troubles.

    As I see when the user browses to the WFE (web front end), it is redirected to the passive STS who authenticates the user by windows authentication and give him the signed token. With that the user goes back to the WFE where he wants to invoke the service 2. For that WFE needs to send the user's claims to service 2, here is where identity delegation takes place. The WFE needs to authenticate with an IP (identity provider, also an STS) that the service 2 trust. For this it uses WSTrust to comunicate with the "STS" (an active STS), sending the user's bootstrap token in order to create the token with the claims of both, the user and WFE. The "STS" authenticates WFE by windows authentication and generates the corresponding token, which finally it is used by WFE to invoke service 2.

    The questions are:

    1) WFE sends the token that was issued by the passive sts an delivered by the user to the "STS" (the active STS). WFE previously decrypts the token? Because the passive sts needs to have access to the claims in that token.

    2) I cant find a place where this is explained step by step, specially the configuration as, at least for me, it is quite complex. Can you tell me from where I can get any information so I can understand how this sample is configured.

    3) The "STS" is authenticating the WFE by windows authentication, I would like to know how can I do if I want the "STS" to authenticate the WFE with certificates or username/password. As I dont understand the configuration, I dont even know where to start :(

    4) I think that in this sample the service proxy was generated with svcutil, and the channel factory that is used to create the channel acting as uses this proxy. Can I add the service as a service reference, as it is quicker to update the proxy when the service is constantly changing. Can you please explain me how to do it in this way.

    I would REALLY appreciate your help as I am working in a project for the University that uses all this stuff and I am quite stucked.

    Thank you in advance.
    Regards,

    Juan Andrés
    miércoles, 4 de noviembre de 2009 21:23