Is identity delegation via WS-Trust/ActAs supported in ACS?

Question

I'm just getting started with claims-based security and have a question related to identity delegation. I've managed to set up a local dummy STS and a couple of WCF services that relies on it for authentication. A web application authenticates the user via the STS and makes a call to Service A on behalf of the user (using ChannelFactory.CreateChannelActingAs). This works fine.

Now I would like to use Azure Access Control Service (ACS) as a federation provider and sign in using a Google account (or whatever) instead, getting rid of the dummy STS altogether. I'm able to authenticate to the web application, but receive a "bad request" response when trying to make the call to the web service.

I realize that a number of things could be the problem, but then it also hit me that I haven't really checked if ACS even supports this ActAs concept of WS-Trust. I've found a forum thread that indicates that ActAs is not supported, but it's about six months old.

Can anyone confirm whether ActAs is supported in ACS? And if not, is there any other clever way of implementing identity delegation that is supported?

Answer 1

No, ActAs is not yet supported in ACS. You would have to use another STS (e.g. your own, ADFS, etc)