using bearer token from ACS (and later PingFederate) for client/server web service call


The code at stackoverflow enabled us to get a token from ACS, issued with the symmetrickey type – fit for presentation to an IService – setup with the bindings from the ACS samples for the username token webservice. It’s obviously a minor change to migrate from the certificatebinding, given below, to the usernametoken binding.

image

http://stackoverflow.com/questions/5598388/how-do-i-configure-wcf-to-use-a-custom-realm-in-urn-format-with-azure-acs

This bit of code shows what is happening behind the scenes (with regard to such as interactive mode (not), service credential negotiation (not), and security context setup (not).

We changed it a bit so once again we have ACS issue a cleartext bearer token – by (i) reconfiguring the Relying Party at the console to remove the encryption process, changing the binding for ACS to request a bearer token (vs. symmetric-keyed token) and setting up the channel to the IStringService to note that a bearer token will be presented in the SOAP header.

image

Obviously, in the implementation of IStringService, when configuring its host, one also needs to tell the channel to expect a bearer token, too:

image

looking at fiddler we see the interaction with ACS:

image

the channel between client and server hardly seems simple, though:

Request:

image

Response:

image

if we turn off the ws-security enveloping in the client, we finally get something simple (and pure bearer token, over https):

image

image

With the ws-security message-level security model, we get what you’d expect: in the service:

image

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SAML, SSO. Bookmark the permalink.