Identity Delegation with WIF 4.5 between web and wcf layer with custom claims added with ClaimsAuthenticationManager

Question

I'm trying to implement claims delegation from a web layer to a WCF layer.

This is working great using an ActAs Token obtained from the ClaimsIdentity BootstrapContext.

All of the claims which are received at the web layer from ACS are correctly passed through to the WCF layer.

This is set up similar to as documented here :

http://msdn.microsoft.com/en-us/library/ee517269.aspx (but I believe this specific example is related to WIF 4.)

However, I also need to enrich the claims which are received to add our own internal claims. I do this using the ClaimsAuthenticationManager.

This is achieved similar to as documented here : http://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthenticationmanager.aspx

This works fine, and the additional claims which are added are then available within the ClaimsIdentity everywhere within the web application.

However these are not passed through in the act as token obtained from the ClaimsIdentity.BootstrapContext.

I understand the reason for this is that the BootstrapContext contains the original claims which were received, and therefore doesn't contain the additional internal claims I have added.

I need some way in order to also pass these internally added claims to the WCF layer within the actas token.

Is there a way of getting the BootstrapContext to also contain the claims which I am adding, or is there a way of generating a SecurityToken from the Currrent ClaimsIdentity/Principle which I can use as the act as token (as this would then contain the additional claims).

Answer 1

You'd do the same technique in the WCF layer -- use a ClaimsAuthenticationManager to transform the claims.