search

IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
410 stars 291 forks source link

Possible scenario for ws-trust act-as delegation #804

Closed apacherose closed 9 years ago

apacherose commented 9 years ago

Hello, we are working on a federated authentication infrastructure. I'd like to know is it possible, having a previously issued token for RP, to delegate (or "re-issue") that token for different RP, i.e keep the token content the same, just re-issue it for different realm? I'm giving you out some clarifications:

The infrastructure is consisted of web applications (RPs), a STS (Thinktecture Identity Server v2) and wcf services ,which also acts as RPs. Based on the samples MVC and WCF RP (SAML), which are maintained here, I've managed to set up fully working scenario, where the Web App authenticates against the STS , keeps the issued Token using saveBootstrapContext="true" attribute in section and then consumes the wcf service, whose security is also within the scope of the STS.

This code prepares and issues the new token, with which the service is accessed:

private static SecurityToken GetActAsToken(SecurityToken bootstrapToken) { var factory = new WSTrustChannelFactory( new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(_idsrvEndpoint)); factory.TrustVersion = TrustVersion.WSTrust13;

        factory.Credentials.UserName.UserName = "some_name";  // this credentials I'd like to skip
        factory.Credentials.UserName.Password = "some_pass";

        var rst = new RequestSecurityToken
        {
            AppliesTo = new EndpointReference(_realmService), 

            RequestType = RequestTypes.Issue,
            KeyType = KeyTypes.Bearer,
            ActAs = new SecurityTokenElement(bootstrapToken),                
        };

        var channel = factory.CreateChannel();
        var delegationToken = channel.Issue(rst);

        return delegationToken;
    }

Consuming the service is similar to this: var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential); binding.Security.Message.EstablishSecurityContext = false; binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;

var factory = new ChannelFactory( binding, new EndpointAddress(_serviceEndpoint)); factory.Credentials.SupportInteractive = false;

var channel = factory.CreateChannelWithIssuedToken(token); //do service client invocation ...

I wonder is it possible to issue the ActAs token without supplying credentials (username / password)? Is there a way to achieve this only having the previously issued token? As a result I want actually the same token, with the same identity and claims information, but this time issued to different realm (which in my example is _realmService).

Thank you in advance.

leastprivilege commented 9 years ago

No - delegation needs the credentials of the "middle tier".

apacherose commented 9 years ago

Thank you.