multitenant custom active STS endpoint (that works with Office365) – stub username token validator


AS we stated in an earlier post, we have inserted a behavior into our WCF pipeline for our ws-trust STS service that will allow our code to determine which STS tenant Office 365 is addressing. The point is that the usual WIF/WCF way of handling usernametokens doesn’t work, for multi-tenant designs. So, we turn the required handler for processing the inbound supporting tokens into a stub, as shown below. It simply puts the token into the bootstrap token, so it can be processd easily by such as the GetSCope callback method (which has access to both the behavior extensions value parsed as the request is handled And the principal (bearing the bootstreap token we place there):

public class CustomUserNamePasswordValidatorSecurityTokenHandler : UserNameSecurityTokenHandler
    {
        public override bool CanValidateToken
        {
            get { return true; }
        }

        public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
        {
            if (token == null)
            {
                throw new ArgumentNullException();
            }
            UserNameSecurityToken UNtoken = token as UserNameSecurityToken;
            if (UNtoken == null)
            {
                throw new SecurityTokenException("Invalid token not a usernametoken");
            }

            var ci = new ClaimsIdentity();
            ci.BootstrapToken = token;
            return new ClaimsIdentityCollection(new IClaimsIdentity[] 
                    { 
                        new ClaimsIdentity(ci) 
                    });
        }
    }
 
Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in coding theory. Bookmark the permalink.