Windows Vista Forums
Vista Forums Home Join Vista Forums Windows 7 Forum Vista Tutorials Tags
Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks.

Go Back   Vista Forums > Misc Newsgroups > Indigo

Vista - STS, IssuedTokens, SAML and web browsers

 
 
Old 09-15-2007   #1 (permalink)
Terraslate


 
 

STS, IssuedTokens, SAML and web browsers

Hey all,

I am finally starting to get into some of the deeper issues with WCF and am
now in the throws of forumlating a few scenarios before we hit the metal and
start writing some production code. In any case i seem to have an issue
right now with a particular security scenario.

I think we are going to want to use a federated scenario for security,
having a seperate STS to issue a SAML token and then of course when we do
hit our service we are able to inspect the claims in the token and base
decisions on them. Unfortunatley our services essentailly will automate, or
rather project in the SOA world, existing functionality presented through a
web front end. Now that web architecture uses a cookie to transport i guess
what might in the saml world be the claims specific to the client (this
cookie i want to replace with a cookie which contains instead the sts
issued saml token).

Anyway, suppose then we write wcf services to inspect the saml token wherein
we will look for these claims / properties then all is well and good if the
token is supplied via the proxies created by svcutil or vs. All this stuff
happens under the hood, and our token appears in the wcf service magically
and ready for inspection.

For our web scenario however the chances are we will contact the STS and
store the token in the web browser as a cookie. Now i will point out in
advance that cardspace is not an option. Anyway, so if i contact the same
webservice from some ajax code in the browser, notably using webHttpBinding,
somewhere in the pipeline that is WCF we'll need to extract that cookie, and
pump it into the servicesecuritycontext (the idea is that we will use the
token in the cookie to replace those existing cookie claims as i mentioned
above). I have no ideas how to do this, or whether there is some
functionality in WCF that can do this automatically. If this doesn't
happen - then how can my service code be security agnostic? I want to use
claims and i should code against claims. The browser shouldn't get in the
way of that and shouldn't require cardspace. There must be some
extensibility point in WCF where i can intercept WCF and make the magic
happen?

The code in the service should be able to do something like
OperationContext.Current.ServiceSecurityContext.Authori....(from memory
this) and regardless of whether the client was a browser or a smart client -
the service should be non the wiser as security would look the same
regardless.

Anyone know the answers, or have any pointers? I am about to embark on a
large system and WCF seems to fit the bill. I just need to hit that 98%
comfortable mark to give it the green light.

Cheers

Terraslate




My System SpecsSystem Spec
 

Thread Tools


Similar Threads
Thread Forum
Browsers Vista General
2 different browsers Browsers & Mail


Vista Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows Vista", the Start Orb, and related materials are trademarks of Microsoft Corp.
© Designer Media Ltd

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46