SDK client issuing signed/proven requests to CRM web services


Using the “”simplified connection” feature of the quickstart sample from the SDK:

image

we get a first decent demo of proof tokens being applied:

image

Note that the keytype (of symmetric) is implicitly requested (being already set via the metadata configuration setup, earlier). And, note, that no client–side entropy is provided.

This delivers a cleartext (over ssl) proof key to the client (aligned with the encrypted, wrapped version of the same key for use by the CRM service instance) – which is duly exploited :

image

where the signature is symmetric:

image

With this, we can clearly say (to Ping, should they claim otherwise) that we have in a couple of hours got ADFS to help do webservices calls between a WCF Client (wrapper lib) and CRM – using SAML issued over ws-trust (v13), with proof tokens, AES256 encryption of the assertion, etc.

The above seems be a delivery of what others were talking about, as discussed back here. Of course, we were able to deliver the same, in our string.svc (avoiding the much more complex WCF-centric, secure conversation centric wsfederation binding.)

When we have a look at the policy controlling all this, we see:

image

So does advanced CRM server config allow changing any of this!?

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SSO. Bookmark the permalink.