AppFabric + SAML Tokens (via ADFS): How do I verify the integrity of tokens sent from ADFS?


  • Suppose I'm an ISV who wants to sell software that connects via the service bus.  I'm interested in selling software, and am not interested incurring the cost/risk of a client who creates too many listeners/hosts on the AppFabric.  Therefore, my client is responsible for acquiring and paying for the AppFabric account.  I just want to be responsible for software maintenance.  

    My ultimate goal is to control the available features available to each user via a claim sent by ADFS.  These claims will unlock features very similar to the Identity Training Kit's 10 Day Weather sample.

    In this 2 STS system (I don't know the proper term for this), how does the host verify the integrity of the claims that are sent by the ADFS server if the ACS is considered non-Authoritative for claim information? 
    Can I just have an encrypted payload (sent as a claim) that is later verified, or is there an innate feature of SAML/ACS/WS-Trust/WIF I could take advantage of?

    Wednesday, June 16, 2010 4:00 AM

All replies

  • I am not sure i understand. What do you mean with integrity?

    I assume only "registered" ADFS tokens can be send to the ACS. ACS would then forward them to the service.

    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Wednesday, June 16, 2010 7:38 PM
  • I'm not sure if it's possible for the ACS, which is owned and operated by someone who I don't directly trust, to alter or create false assertions that my ADFS server does not create.

    I would like my host (who is using and the service bus) to act upon claims that my ADFS server makes, and not those that are created by ACS.  The whole reason for this wierd topology is because I don't want to absorb the cost of the AppFabric connection count in my model.  I'd rather have those customers who need it pay for it.  Plus reselling the ACS at it is today isn't very appealing.  There is no way for me to throttle connections used per listener/host, etc.

    Wednesday, June 16, 2010 11:41 PM
  • So why you want to to use ACS at all - and the service bus? What does that buy you? Is it really customer friendly to require them to use the SB?
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Friday, June 18, 2010 4:47 AM
  • I'm actually only interested in the SB, not ACS per se.  My understanding is that ACS is a requirement.  Also, the SB is opt in... for those whose infrastructure requires it.  Since I'm offering a free service, those who need that connectivity need to pay thier own way with Azure AppFabric. 

    All other customers will use WS-Trust to my ADFS server to my service. 


    Saturday, June 19, 2010 1:50 PM