0

we currently have some WCF services which use active authentication with ACS, which are currently used like so:

  • user calls- user calls our legacy api, with username and password in custom message format in POST request.
  • API then calls other WCF services providing this username and password in the request, which authenticates with ACS to get the token the service needs

we want to implement the folowing:

  • user calls our legacy api, with username and password in custom message format in POST request.
  • strip user name and password in API and contact ACS using these as credentials of service identities, getting a SAML token in response
  • API then calls a WCF service providing this SAML token in the request

I am reading up on what needs to be done in order to accomplish this, but most of the samples/examples I have read talk about getting SWT tokens from the azure ACS service, and not getting SAML tokens.

Is this because they are out of date, and that a similar approach will work in ACS 2.0 to get SAML tokens?

Or is this not supported? (presumably it must be as WCF accomplishes it)

Does anyone have any examples of how to do this.

Sam Holder
  • 32,535
  • 13
  • 101
  • 181
  • Maybe have a look here: http://stackoverflow.com/questions/8811626/does-azure-acs-support-saml-2-0-idps-like-salesforce – Stefan Rasmusson Jan 26 '13 at 11:59
  • Thanks stefan. I've already looked at that. It's more related to configuring a federation with another identity provider as I understand it. I want to be able to get the tokens from acs myself (so I can cache them) and we want to use saml 2.0 tokens. – Sam Holder Jan 26 '13 at 14:10
  • For the record, as far as I know, this is active authentication and not passive authentication (which relies on browser redirects), not that it matters much :-) more importantly - there are two possible flaws with your approach - the main one is that tokens should be generated for a particular services and, generally speaking, should not be used for multiple services; secondly, they also should have a relatively short time-to-live to protect against reply attacks. if you use WIF, the proxy will cache the received token per service as long as possible out-of-the-box. – Yossi Dahan Jan 26 '13 at 18:37
  • @YossiDahan naming aside :), what's the problem with generating a token and using it for multiple services? Basically we call service A, which does some stuff then calls Service B a couple of times, then does some more stuff. Why not pass the token from service A to B? We could not use the token to secure Service B, but use certificates instead. But thats by the by, how can I just manually get the saml token in the API to pass to Service A? – Sam Holder Jan 26 '13 at 19:41
  • edited the question to remove the multiple services bit, in case that clouds the issue, and corrected the authentication name – Sam Holder Jan 26 '13 at 19:43
  • Well - the word flaw may be too harsh :-) but on principle a token gets issued for a specific user to access a specific resource and is not normally intended to be used to access other resources. it can be done, and I'm sure it is being done, but it is less than ideal. on principle token A for service 1 (or the user's initial credentials) should be 'exchanged' through and IdP for token B for service 2. if your intention in calling the other services is to authenticate the calling service and not the user, than certificates are perfect for that. I hope this makes sense – Yossi Dahan Jan 26 '13 at 19:55
  • @YossiDahan The actual situation is this: Api is called by a user. We authenticate to get claims for that user. We then call a service (basically a workflow, which orchestrates the process based on the claims) which needs to know about those claims. This service then calls another service which (currently) doesn't need to know the claims, but may do in the future. We will also to need to call other additional services in the future which will also need to know the claims of the user. Passing the claims around rather than contacting ACS everytime seems natural to me, but I'm new to this... – Sam Holder Jan 26 '13 at 20:10
  • 2
    Might be worth looking at this - http://stackoverflow.com/questions/11325711/is-using-saml-bearer-tokens-for-authenticating-users-to-backend-services-a-bad-i – Yossi Dahan Jan 27 '13 at 01:25

0 Answers0