SDK client issuing signed/proven requests to CRM web services

Using the “”simplified connection” feature of the quickstart sample from the SDK:


we get a first decent demo of proof tokens being applied:


Note that the keytype (of symmetric) is implicitly requested (being already set via the metadata configuration setup, earlier). And, note, that no client–side entropy is provided.

This delivers a cleartext (over ssl) proof key to the client (aligned with the encrypted, wrapped version of the same key for use by the CRM service instance) – which is duly exploited :


where the signature is symmetric:


With this, we can clearly say (to Ping, should they claim otherwise) that we have in a couple of hours got ADFS to help do webservices calls between a WCF Client (wrapper lib) and CRM – using SAML issued over ws-trust (v13), with proof tokens, AES256 encryption of the assertion, etc.

The above seems be a delivery of what others were talking about, as discussed back here. Of course, we were able to deliver the same, in our string.svc (avoiding the much more complex WCF-centric, secure conversation centric wsfederation binding.)

When we have a look at the policy controlling all this, we see:


So does advanced CRM server config allow changing any of this!?



Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in SSO. Bookmark the permalink.