SDK client issuing signed/proven requests to CRM web services

Using the “”simplified connection” feature of the quickstart sample from the SDK:


we get a first decent demo of proof tokens being applied:


Note that the keytype (of symmetric) is implicitly requested (being already set via the metadata configuration setup, earlier). And, note, that no client–side entropy is provided.

This delivers a cleartext (over ssl) proof key to the client (aligned with the encrypted, wrapped version of the same key for use by the CRM service instance) – which is duly exploited :


where the signature is symmetric:


With this, we can clearly say (to Ping, should they claim otherwise) that we have in a couple of hours got ADFS to help do webservices calls between a WCF Client (wrapper lib) and CRM – using SAML issued over ws-trust (v13), with proof tokens, AES256 encryption of the assertion, etc.

The above seems be a delivery of what others were talking about, as discussed back here. Of course, we were able to deliver the same, in our string.svc (avoiding the much more complex WCF-centric, secure conversation centric wsfederation binding.)

When we have a look at the policy controlling all this, we see:


So does advanced CRM server config allow changing any of this!?


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in SSO. Bookmark the permalink.