tags:

views:

307

answers:

1
Q: 

How can I generate a SAML Security Token within the same application that consumes it?

I've been configuring some of my applications to use the Windows Identity Foundation. I use the passive redirection to get security tokens from a Security Token Service. I accomplished this by inserting WIF code into a logon web site that existed before I started using WIF and then using the "Add STS Reference" within the applications.

However, I have one application that does not use the logon web site. I think that what I would like to do is generate the security token within the application itself without redirecting the user to an external STS.

I tried unsuccessfully to accomplish this by using the ClaimsAuthenticationManager class which can be used to add additional claims to a security token received from an external STS. However, ClaimsAuthenticationManager doesn't work in this context. Instead of calling ClaimsAuthenticationManager only a single time per session ( the expected and desired result ), it gets called on every page load with no sign of the claims that I assigned to the user on the previous page load.

I'm looking at creating an external STS that will give the user the claims from a database, but I see this as being a hazard. There seems to be no reason that I must create a whole separate STS for only a single web site. I would like to just generate the security token within my application.

A: 

It is possible to put the Security Token Service class within your own application.

However, in order for the user to be able to access a log-in page in your application before they've obtained the token, you must remove the deny users=? from the Authorization section of web.config. This will allow users to hit your web page with no security token. Once they log in, redirect them to the appropriate page.

This has the disadvantage of not being able to use the convenient passive redirect functionality, but it does work. That means that you must manually redirect users to the log-in page when they try to do something that requires them to be logged in.

Rice Flour Cookies  2010-02-19 20:52:01
Per the FAQ (http://msdn.microsoft.com/en-us/library/ee748487.aspx) the ClaimsAuthenticationManager is per-call regardless of session, so that would explain the behavior you are seeing.Embedding the STS right in your application sort of defeats the purpose of federation. It sounds like all you really needed was an IClaimsPrincipal rather than a regular principal. Assuming that was the case, it may have been easier to just use regular forms authentication and have a custom HttpModule that rehydrates the claims based on the forms auth token.
Travis Illig  2010-08-26 23:11:58

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security