Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I've got situation one working fine. In my case AD FS is the Identity Service and a custom STS the Resource STS.</p> <p>All webapp's use the same Resource STS, but after a user visits an other application the Identity releated claims are not addad again by the AD FS since the user is already authenticated. How can I force or request the basic claims from the AD FS again?</p> <p>I've created a call to the AD FS with ActAs, now it returns my identification claims. Remember to enable a Delegation allowed rule for the credentials used to call the AD FS.</p> <pre><code>string stsEndpoint = "https://&lt;ADFS&gt;/adfs/services/trust/2005/usernamemixed"; var trustChannelFactory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), stsEndpoint); trustChannelFactory.Credentials.UserName.UserName = @"DELEGATE"; trustChannelFactory.Credentials.UserName.Password = @"PASSWORD"; trustChannelFactory.TrustVersion = TrustVersion.WSTrustFeb2005; //// Prepare the RST. //var trustChannelFactory = new WSTrustChannelFactory(tokenParameters.IssuerBinding, tokenParameters.IssuerAddress); var trustChannel = (WSTrustChannel)trustChannelFactory.CreateChannel(); var rst = new RequestSecurityToken(RequestTypes.Issue); rst.AppliesTo = new EndpointAddress(@"https:&lt;RPADDRESS&gt;"); // If you're doing delegation, set the ActAs value. var principal = Thread.CurrentPrincipal as IClaimsPrincipal; var bootstrapToken = principal.Identities[0].BootstrapToken; // The bootstraptoken is the token received from the AD FS after succesfull authentication, this can be reused to call the AD FS the the users credentials if (bootstrapToken == null) { throw new Exception("Bootstraptoken is empty, make sure SaveBootstrapTokens = true at the RP"); } rst.ActAs = new SecurityTokenElement(bootstrapToken); // Beware, this mode make's sure that there is no certficiate needed for the RP -&gt; AD FS communication rst.KeyType = KeyTypes.Bearer; // Disable the need for AD FS to crypt the data to R-STS Scope.SymmetricKeyEncryptionRequired = false; // Here's where you can look up claims requirements dynamically. rst.Claims.Add(new RequestClaim(ClaimTypes.Name)); rst.Claims.Add(new RequestClaim(ClaimTypes.PrimarySid)); // Get the token and attach it to the channel before making a request. RequestSecurityTokenResponse rstr = null; var issuedToken = trustChannel.Issue(rst, out rstr); var claims = GetClaimsFromToken((GenericXmlSecurityToken)issuedToken); private static ClaimCollection GetClaimsFromToken(GenericXmlSecurityToken genericToken) { var handlers = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers; var token = handlers.ReadToken(new XmlTextReader(new StringReader(genericToken.TokenXml.OuterXml))); return handlers.ValidateToken(token).First().Claims; } </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload