hi everybody!
I have to implement one STS for the following basic brokered-authentication scenario depicted in:
"Figure 3. Using a broker to perform authentication when client and service do not share trust relationship"
http://msdn.microsoft.com/en-us/library/aa480569.aspx
There should be used WS-Security(Version 1.1), WS-Trust(Februar 2005), WS-SecureConversation(February 2005),
WS-SecurityPolicies(Juli 2005). Clients have to get one
SecureConversationToken
from STS and authenticate with the Business-Service with a created SCT. The Business-Service should validate the Client-SCT by STS if necessary.
WCF provides
wsHttpBinding
/
ws2007HttpBinding
. These bindings can establish
SecureConversation
very simply between two communication partners such as client and service (config file..). BUT how can I extend this security-conversation scenario to be based on a brokered-authentication scenario you can see in the link before? No SAML-Token should be used in this scenario.
1) Can i customize the
WsHttpBinding
/
WSHttp2007Binding
to use the WS-Security specifications mentioned above?
Where will the cached SecurityContextTokens be in STS or in an Service?
How can I get full control on SCT management in STS?
How will the
SecurityContextToken
be generated ?
Should I overwrite the
SecurityTokenManager
,
SecurityTokenProvider
and other classes so that I have full control about
SecureConversation
mechanism? How can I make it? Does anyone have a sample on it ?
2) My second idea is that I would disable the
SecureConversation
setting in
web.config (
<message establishSecurityContext="false" negotiateServiceCredential="true"/>
) and would simply implement one endpoint in STS that responds to requests with WS-
SecureConversation
and WS-Trust Actions like:
Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
RequestType: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Action: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
RequestType: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
........
3) How could the request from Client with one SCT at STS be validated? Should it be validated?
Does anyone have a sample for my problem? I need it urgently and I would be very grateful for your replies!
Thank you!
Cheers Valentin