Part 2
Let’s say you have implemented federated security and
now you have bunch of services all of them requires a token from a trusted STS
to provide any service. Now some of these services are logically part of same
security realm but are still distinct entities. To optimize performance, you
probably want to do some short circuiting so that when a user presents a token
(issued by trusted STS) to one of these services – then this frontend
service should simply be able to forward this incoming token to backend services
within its logical security boundary (akin to trusted delegation). Here
is a diagrammatic view.
On the surface, this sounds like a simple scenario which can
be implemented as:
·
Reach into incoming service security context
·
Extract the incoming token
·
Pass it on to backend service
The trouble here is: wsFederationHttpBinding wisely uses
secure conversation, to avoid token acquisition overhead for each call. Due to
this optimization, we never get to see the actual bootstrap token (token used
to establish secure conversation session) inside our service methods.
In the next post, I will show you how to extend WCF
security framework to enable this scenario?
At a very high level, we need to hook into secure
conversation handshake, extract the incoming SAML token and save it
somewhere for future use.