hi there:
I wonder what are the best practises in a client app ( winforms/ console/ whatever else) regarding consuming WCF that is Authorized and authenticated using WIF (used to be called geneva).
Also at a service level, is it possible to cache the token so the the trip to the STS is not necesary for every WCF operation? ( more info on this also apreciated) Thanks
You need to send the token each time, just like you would need to send a username and password each time to a web service secured with usernames and passwords. Just because you're using a SAML token doesn't change this.
You can however cache the token on the client side - each token has a valid from and valid to associated with it so, if the web service is not checking for uniqueness of each token via the assertion ID then you could cache on the client. However a well written web service may well be checking the assertion ID to stop relay attacks.
Hi
Using SAML doesnt mean you can get away with passing the token its just that its not a part of signature is a implicit payload and can have common trust been developed between disparate applications in same enterprise. So you actually get away with usage of trust maintenance. As far as caching is conerned you can and try velocity for that.