Menu
First some background:
We were recently tasked to send a SAML 2.0 assertion to the server that we are communicating with. We are using WCF for our client. The server is not using WCF. The guys who implement the server, don't have an STS that will issue a SAML assertion. We are trying to use WIF framework because it supports SAML 2.0 tokens.
Is it possible to send a SAML 2.0 assertion with the message from the client without getting the SAML2 token from an STS? If it is can someone please post some sample code on how to do this with WCF and Windows Identity Foundation? I looked around and could not find anything.
Does anyone have any examples with a client getting a SAML2.0 token from an STS and then sending that token with an assertion to a server app?
987
Windows Identity Foundation (WIF) is a rich identity model framework designed for building claims-based applications and services and for supporting active and passive federated security scenarios.
It provides a set of ASP.NET controls that help developers create web pages in claims-aware applications. It includes a utility that helps developers translate between claims and NT tokens, so that claims-aware applications can be used to access resources that require NT-Token based identity.
Windows Identity Foundation (WIF) is a new extension to the Microsoft . NET Framework that makes it easy for developers to enable advanced identity capabilities in the . NET Framework applications.
Basically this is to SAML-P what WS-Trust is to WS-Federation. WIF does not support SAML-P, although some time ago an extension to WIF that adds SAML 2.0 support was CTP’ed but has not took off since then. Here you can see the announcement:
After working to get ADFS 2.0 working with SAML tokens, it appears as though there is a rarely documented inadequacy with ADFS in terms of the confirmation type of the SAML 2 tokens that can be issued. AFAIK, only BEARER type tokens are supported, which limits the scope of ADFS 2 in scenarios where Sender-Vouches or Holder-of-Key is required.
As was discussed in the previous section, we have seen how identity and access support in .NET passed through multiple stages, from the simple IsInRole checking, to claims support in WCF 3.0, to WIF 1.0 and then to .NET 4.5. WIF 4.5 is where this ends (and the new work begins!).
In the Local Development STS tab, you should set the token format to SAML 2.0; you may leave the port number as is. In the area entitled, "Test claims to issue:" you will see a collection of claims that will be added to the token. You may edit the values, delete them, or add new ones to this claims collection.
You could try having a look at thinktecture starter STS. It comes with source code so you could pick out the bits that create the SAML token.
And from this answer you do not need a STS.
159
I'm assuming you wanted to use standard WS-Security mechanism to attach a SAML token with the SOAP message? Your question is essentially a two part one:
How to get token - you will probably create it yourself? See this link for how to do this. http://www.leastprivilege.com/UsingSAMLAsAClientCredentialTypeInWCFWithGeneva.aspx
How to send the token to service as part of SOAP message? You can attach a SAML token with a WCF channel by using WSTrustChannelFactory class. http://msdn.microsoft.com/en-us/library/ee517268.aspx
hope that helps, Zulfiqar
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
