Requesting Delegation (ActAs) Tokens using WSTrustChannel (as opposed to Configuration Madness)
- by Your DisplayName here!
Delegation using the ActAs approach has some interesting security features
A security token service can make authorization and validation checks before issuing
the ActAs token.
Combined with proof keys you get non-repudiation features.
The ultimate receiver sees the original caller as direct caller and can optionally
traverse the delegation chain.
Encryption and audience restriction can be tied down
Most samples out there (including the SDK sample) use the CreateChannelActingAs extension
method from WIF to request ActAs tokens. This method builds on top of the WCF binding
configuration which may not always be suitable for your situation.
You can also use the WSTrustChannel to request ActAs tokens. This allows
direct and programmatic control over bindings and configuration and is my preferred
approach.
The below method requests an ActAs token based on a bootstrap token. The returned
token can then directly be used with the CreateChannelWithIssued token extension
method.
private SecurityToken GetActAsToken(SecurityToken bootstrapToken)
{
var factory
= new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
new EndpointAddress(_stsAddress));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "middletier";
factory.Credentials.UserName.Password = "abc!123";
var rst
= new RequestSecurityToken
{
AppliesTo = new EndpointAddress(_serviceAddress),
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
ActAs = new SecurityTokenElement(bootstrapToken)
};
var channel
= factory.CreateChannel();
var delegationToken
= channel.Issue(rst);
return delegationToken;
}
HTH
