wif - Claims Based Authentication - SharePoint and generally

All,I've been doing a lot of reading around Claims Based Authentication and am still a bit confused. I'm trying to solidify my understanding, specifically relating to SharePoint 2010/2013, but also generally (i.e. ASP.NET).My understanding of various pieces of technology terminology is as follows:WIF (Windows Identity Foundation) - a .NET library (set of APIs) that are used for consuming Identity Claims and building custom STSs etc.Relying Party - a 'Consumer' of Claims (i.e. SharePoint, ASP.NET Web Site etc.). Claims are provided through an ST...Read more

Active and Passive Federation in WIF

I am trying to understand the difference between Active and Passive federation in WIF. It appears that one would use an Active Federation if the Relying Party (RP) is a WCF Service instead of an ASP.NET application and a Passive Federation if the RP is an ASP.NET application. Is this accurate?So, in a scenario in which an ASP.NET application uses a WCF in the backend, the MS articles suggest using a 'bootstrap' security token that is obtained by the ASP.NET app using an ActAs STS and this token is used to authenticate with the WCF. In this scen...Read more

Custom WIF scenario

I have a scenario that might have been asked before. I want to use WIF with a windows client but my STS would be behind a firewall and I need to augment the STS to deal with custom authentication. The call flow would be Client - calls authenticate on Security Service with custom RST claims token - Security Service - calls existing asmx service to validate user and retrives custom athentication values - Security Service - calls custom STS to create a Saml2 token and sends it back down to the client. Once back on the client I have a secured toke...Read more

wif - TCP Federation and ADFS

I hope someone can help me out. How can I do federation over TCP? I am using ADFS as my STS. My WCF service (Relying party) expose its endpoint over net.tcp bindings. The STS would be accessed through wsHttp endpoints. How would I do this? Any suggestions?Thank you...Read more

WIF Security Token Caching

I have a site that is a relying party to our WIF-based custom STS. We recently implemented a Security Token Cache as described here: Azure/web-farm ready SecurityTokenCache. The major difference between our implementation and the one described in that link is that we use Azure AppFabric Caching as the backing store for the durable cache, rather than table storage. This helped to relieve us of a token truncation issue on certain browsers but has introduced a new problem (We see the truncation problem primarily on pages that have google analyt...Read more

wif - Windows Identity Foundation: Active Federation client (which is previous relying party) accessing relying party with token

I am setting up a STS using WIF which will support active and passive federation.There will be multiple services which use the STS as relying parties.I want to know how the scenario works and is implemented where one service (eg. RelyingParty1) is the client of another service (eg. RelyingParty2) where the client of RelyingParty1 (a physical person/user) authenticates via STS/Idp username and login and RelyingParty1 wants to use RelyingParty2.Does RP2 communicate with the STS at all, or is a valid token passed from RP1 to RP2? Is there specific...Read more

adfs - WIF passive federation with custom load balancer in place

I'm implementing a simple load balancer - it's an http listener which parses incoming requests from browser and routes them to appropriate ASP.NET application. It listens on a certain port (8801) and when routing it preserves the original URI and changes only port number, e.g. https://machine.domain.com:8801/testsite/Default.aspx could be routed to https://machine.domain.com:8811/testsite/Default.aspxWith no security routing works just fine. The problem emerges when I try to apply WIF federation to the ASP.NET apps. I use ADFS 2.0. Here are two...Read more

wif - Need to pass additional value to UserNameSecurityToken in STS from client application

I have incorporate security into my wcf service using wif. Below my high level design.Wif sts application - Here i have used custom username security token handler for validate the usename & passswordWcf service - list of servicesWeb application -> where i consumed the wcf service.STS custom username security token handler as follows:public class CustomUserNameSecurityTokenHandler : UserNameSecurityTokenHandler{ public override Microsoft.IdentityModel.Claims.ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken...Read more

WCF routing + WIF

How does the new routing service deal with security? According to http://blogs.microsoft.co.il/blogs/applisec/archive/2011/12/12/wcf-routing-and-message-security.aspx, it might be difficult when default windows security is not chosen (typically a simple username/password scenario). Can wcf routing actually support a scenario where the router receives a WS-Security secured message over HTTP and forwards it to another server over HTTP, without unwrapping the security token? My scenario is as follows:A server (relying party), a custom STS with use...Read more

WIF, Federation and STS

In order to prepare my application to use ADFS I have to work with federationnow we have a solution with a server with federated services using WIF for security, whe have a client consuming this services and we have and STS wich taken a usename password for identifying the user.Everything work fine, all my claims are generated correctly and I can use them in my applcation.Now we must use ADFS in addition of our Internal IdentityProvider, I'd just take my sts and divide it between two parts, a "federation provider" called by client and trusted b...Read more

Identity Delegation with WIF 4.5 between web and wcf layer with custom claims added with ClaimsAuthenticationManager

I'm trying to implement claims delegation from a web layer to a WCF layer. This is working great using an ActAs Token obtained from the ClaimsIdentity BootstrapContext. All of the claims which are received at the web layer from ACS are correctly passed through to the WCF layer.This is set up similar to as documented here : http://msdn.microsoft.com/en-us/library/ee517269.aspx (but I believe this specific example is related to WIF 4.)However, I also need to enrich the claims which are received to add our own internal claims. I do this using the ...Read more

wif - C2WTS service without ADFS?

We are using a third party STS for iDM (not ADFS), when the user logins, on the relaying party side we are getting all the claims we need.To connect to sql server, I need a windows token, and I read at MSDN blogs that I can use C2WTS service to get a windows token. STS is sending the upn claim to the applicationIs it possible to get a windows token using C2WTS when we don't have ADFS but a SAML token with the right claims (including upn claim) from another STS?...Read more

How to deal with stale claims in WIF?

How to deal with stale claims in WIF?Here's the setup:I have a WIF STS that provides authentication for many different MVC web applications. The STS also provides claims, like privileges, email, etc.I have an MVC application we'll call MyApp that uses the STS for authentication and consumes the claims provided.I have an MVC application we'll call MyManager that allows an admin to change any user's claims, for example privileges associated with a user.Here's the problem:User "MisterUser" logs into MyApp and gets the FedAuth cookies that contain ...Read more

wif - Message: ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context

We're getting the exact same error as in this thread ... in our production environment.[WIF Security Token CachingDoes anybody have a fix to this error ? Message: ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.Here is some info about our setup:• We‘re using built-in Windows Identity Framework with .NET Framework 4.5.1• The problem is almost always associated with changing from RelyingParty#X over to RelyingParty#Y ( e.g. the moment user clicks the RP#Y he‘s SIGNED OU...Read more