Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Alik Levin
When:
13 Sep 2011 9:08 AM
Last revision by
Alik Levin
When:
17 Feb 2012 10:32 AM
Revisions:
9
Comments:
0
Options
Subscribe to Article (RSS)
Share this
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
Identity Flow Through Physical Tiers - ActAs Delegaton
Identity Flow Through Physical Tiers - ActAs Delegaton
Article
History
Identity Flow Through Physical Tiers - ActAs Delegaton
Back to
Windows Azure Active Directory Solutions For Developers
Table of Contents
Scenario
Solution Approach
Analysis
How To's
Code Samples
Resources
Scenario
In this scenario you are developing distributed multi-tier application with ASP.NET web front end and WCF (SOAP) back end. You need to make sure that original user's identity who interacts with the ASP.NET web application will flow through the physycal tiers to the back end WCF (SOAP) service. This requirement may come as a result of the need to perform authorization or logging and auditing at the back end WCF service based on the original caller. For example, if Bob accesses the ASP.NET front end web application then his identity should be used to log activities and perform access checks at the back end WCF service. The process of flowing the identity across physical tiers called delegation.
Distributed multi-tier application.
ASP.NET web front end.
WCF (SOAP) back end.
Original user's identity who interacts with the ASP.NET front end web application needs to flow through physical tiers to the back end WCF service.
Solution Approach
Delegation is used to solve this scenario. WIF and AD FS provide building blocks for delegation. AD FS servers as an Identity Provider (IP) that accepts credentials and issues tokens, another AD FS is configured as Claims Provider that validates the original token available the message as ActAs and adds necessary claims. The ASP.NET application uses WCF's CreateChannelActingAs to sent the token to the WCF service which trusts Claims Provider AD FS.
One AD FS instance serves as Identity Provider (IP).
Another AD FS instance serves as Claims Provider that, configured for delegation and to trust IP instance of AD FS.
ASP.NET application uses bootstrap token for ActAs token.
ASP.NET application uses CreateChannelActionAs when communicating with WCF service.
Analysis
ASP.NET application uses bootstrap token for ActAs purposes. To do so it needs to be configured so in the WIF related section of the configuration file, specifically:
<service saveBootstrapTokens="true">
This may introduce security risk as the bootstrap tokens may contain sensitive information that can be used by an attacker if not properly protected.
How To's
Identity Delegation Scenario
Code Samples
Identity Delegation sample in
WIF SDK
Resources
Identity Delegation and Security Context Flow Through Physical Tiers
Frequently Asked Questions
(ActAs and OnBehalfOf section)
ACS
,
AD FS
,
adfs
,
cloud
,
Identity
,
WIF