A question that has been coming up a lot lately is how does one send a SAML bearer token to downstream WCF service? In each of the recent cases, a front-end app was being presented with a token that it needed to convert to SAML before calling the back-end service. To do this, the Web app would send the incoming token or some other credential to an STS, get the SAML token back, and include it in its request to the next service as shown in the following sketch:
To create such a system using .NET requires certain config on the client and server, so I'll enumerate what's required on each. At the end of this post, you'll find links to other blog entries w/ more detail and a link to download a sample project.
Web Service Client
- Get a bearer token from the STS using the credential the client has (another token, username/password, cert, etc.)
- Call the service
- Use the WS2007FederationHttpBinding binding and set the security mode to WSFederationHttpSecurityMode.TransportWithMessageCredential
- On the binding's security object, set the Message.IssuedKeyType to SecurityKeyType.BearerKey
- When creating the channel factory, call the ConfigureChannelFactory extension method from WIF
- When using the factory to create the channel, call CreateChannelWithIssuedTokenand and pass it the SAML token you got from the STS
- Use the WS2007FederationHttpBinding binding w/ transport security (as in the client)
- Like in the binding of the client, set the Message.IssuedKeyType to SecurityKeyType.BearerKey
- Make sure it's expecting the assertion to be signed by the cert of the STS (by wiring up an IssuerNameRegistry that will check)
- Configure the audience restriction to be the same one included in the SAML assertion
If after reading the above, things aren't quite clear yet, check out these blog posts for more details:
If you're still stuck, have a look at this sample (licensed under the GNU GPL), leave a comment here, and/or email me.