0

So, I'm creating an ASP.NET MVC application to be hosted in Azure. It's currently authenticating users via Azure ACS which delegates to a number of IdPs of clients for the application.

The application now needs to call into a WCF service to display some information, but the services need to be secured. I had originally though to use the WS-Trust protocol and pass the identity through the application using an "ActAs" token, however Azure ACS 2.0 will not issue tokens of this type.

How can I obtain an access token for the services based on the user's current identity? I can go back to the ACS for additional tokens, but the system mustn't prompt for the user to provide credentials each time.

Community
  • 1
  • 1
Paul Turner
  • 38,949
  • 15
  • 102
  • 166
  • Does this help: http://code.msdn.microsoft.com/windowsazure/Federate-Windows-Live-ID-556ad976? – Jude Fisher Nov 30 '12 at 13:33
  • I had considered the idea of producing a custom STS, but it seems a very heavy-handed approach. – Paul Turner Nov 30 '12 at 13:37
  • Agreed - all of delegating a federated identity looks a bit long-winded. I'm sure you've seen this, which would at least give you an off the shelf start on a custom STS: http://thinktecture.github.com/ – Jude Fisher Nov 30 '12 at 13:41
  • @JcFx You ought to add this stuff as an answer; it's a solution that's worth up-voting, even if I choose not to follow it. – Paul Turner Nov 30 '12 at 13:50

1 Answers1

1

I think the recommended way is identity delegation, using a custom STS, as in this example: http://code.msdn.microsoft.com/windowsazure/Federate-Windows-Live-ID-556ad976

To quote from the description:

In this sample we will walk you through building an application that federates and delegates the Windows Live ID claims. The application makes use of a custom security token service that exposes a WS-Federation passive endpoint (default.aspx) and also exposes a WS-Trust active endpoint (ActAsIssuer.svc). The passive endpoint federates to Windows Azure Access Control Service (ACS) and the active endpoint will consume the bootstrap token and issue additional claims for that user. Here is a summarized diagram of the application architecture: enter image description here

The ThinkTecture Identity Server might give you a leg up in deploying your own custom STS, or the classes in the IdentityModel from the same developer may help - there's a specific set of helpers pertaining to WCF security and WS-Trust. (Links are for the latest versions, for .NET 4.5 - there are earlier versions as well).

Jude Fisher
  • 11,138
  • 7
  • 48
  • 91