Get Claims from STS in DesktopApp (active)

StackOverflow https://stackoverflow.com/questions/11499594

  •  21-06-2021
  •  | 
  •  

Question

I would really appreciate some help in understanding how Claims are used in a local desktop app. Here's the scenario: I want to display a tab f.e. depending on wether the user has a claim like "AnalysisAllowed:true". So I want to fetch the claims at app start and bind against them later.

All samples are talking about how to make WCF use Authorization- and AuthenticationManagers to do claims-based calls to other WCF-Services but I just want to contact the sts (how do I do that? WCF-Fed Binding?) and than cache the stuff to use it. No other Service calls... :)

Thanks a lot!

Was it helpful?

Solution

In the default configuration (client & STS), the tokens you get will be encrypted (apart from being signed). If you own the whole thing (client and services), then you can tweak some knobs so that the token can be "readable" from the client (hence, not encrypted).

Here you have some code that will give you an unencrypted SAML token from ADFS (the key thing is to ask for a "bearer" token and configure ADFS relying party without an encryption certificate). 

private static SecurityToken GetSamlToken(string realm, string stsEndpoint, ClientCredentials clientCredentials)
{
    using (var factory = new WSTrustChannelFactory(
        new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), 
        new EndpointAddress(new Uri(stsEndpoint))))
    {
        factory.Credentials.UserName.UserName = clientCredentials.UserName.UserName;
        factory.Credentials.UserName.Password = clientCredentials.UserName.Password;
        factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        factory.TrustVersion = TrustVersion.WSTrust13;

        WSTrustChannel channel = null;

        try
        {
            var rst = new RequestSecurityToken
                          {
                              RequestType = WSTrust13Constants.RequestTypes.Issue, 
                              AppliesTo = new EndpointAddress(realm), 
                              KeyType = KeyTypes.Bearer, 
                          };

            channel = (WSTrustChannel)factory.CreateChannel();

            return channel.Issue(rst);
        }
        finally
        {
            if (channel != null)
            {
                channel.Abort();
            }

            factory.Abort();
        }
    }

Once you have the token you can use LINQ to XML or WIF to get the ClaimsIdentity out of the SecurityToken. Make sure you are using SSL between the client and the STS and the services.

A second option you have is to rely on the services to return the list of claims. It's one more request, but you will do it at the same time the users logs in and then cache those claims until the token expires.

public IEnumerable<Claim> GetUserClaims() {
      // get Thread.CurrentPricinpal IClaimsIdentity and grab the claims
}

OTHER TIPS

I'm not sure what STS you're using, but typically (for instance, using AD FS 2.0), you'll connect to the STS web services using WS-Trust. This is active federation versus passive federation.

Take a look at the Lab 4 here for some samples on how to do this.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top