How do I access AD FS statements for user credentials?

Question

How do I access AD FS statements for user credentials?

Since I am developing a WCF web service to mediate between user login actions and their active roles and permissions. I do not want my host application to talk directly to AD FS. I want any host application to use my web service and provide the necessary information based on credential data.

In my web method, I need to get requests from AD FS (WIF) for user credentials.

My web method will have two input parameters: window email username / Windows account name and password.

So, I want to access AD FS claims in my web method by providing user credentials.

How do I get AD FS claims using user credentials?

+4

c # .net web-services wcf adfs2.0

nunu Jun 11 '12 at 13:28

source share

2 answers

You should perform a web service call to the https: //.../adfs/services/trust/13/usernamemixed endpoint of AD FS 2.0 which uses Integrated Windows Authentication, providing the user credentials so that the connection can be set up. On this endpoint, call the http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue operation. (More details are in section 4.1 of the WS-Trust 1.3 specification .) The input for this operation is a RequestSecurityToken request. The response contains a SAML token containing the claims you require.

Note that the AD FS 2.0 WSDL is avaible at https: //.../adfs/services/trust/mex: if you point your Visual Studio Add Service Reference wizard, or your Java wsimport , to that URL then you'll easily generate client code which you can use for performing the RST Issue operation.

+7

Marnix klooster Jun 11 '12 at 19:35

source share

flayn · Accepted Answer · 2012-06-12T07:47:31+0000

You can request DisplayTokem from ADFS and work with it, this is basically the same information as in the token.

public DisplayClaimCollection GetDisplayClaims(string username, string password) { WSTrustChannelFactory factory = null; try { // use a UserName Trust Binding for username authentication factory = new WSTrustChannelFactory( new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), "https://.../adfs/services/trust/13/usernamemixed"); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.UserName.UserName = username; factory.Credentials.UserName.Password = password; var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = "Relying party endpoint address", KeyType = KeyTypes.Symmetric, RequestDisplayToken = true }; IWSTrustChannelContract channel = factory.CreateChannel(); RequestSecurityTokenResponse rstr; SecurityToken token = channel.Issue(rst, out rstr); return rstr.RequestedDisplayToken.DisplayClaims; } finally { if (factory != null) { try { factory.Close(); } catch (CommunicationObjectFaultedException) { factory.Abort(); } } } }

But this is not the right way to do it! You must use your RelyingParty certificate to decrypt the encrypted token and read claims from it.

How do I access AD FS statements for user credentials?

More articles: