I have:
- A passive STS "login application" that is also an identity provider.
- An active STS WCF service that can accept and handle ActAs tokens
- A web site relying party
- A WCF service relying party that is called by the web site.
All of this is put together using Windows Identity Foundation and custom STS code. Active Directory (ADFS) is not involved.
What I have working now is:
- User attempts to visit web site RP.
- User gets redirected to passive STS.
- User logs in, gets a token issued, gets redirected back to the web site RP.
- Web site RP makes a service call to the WCF RP and passes an ActAs token so delegation happens.
- Active STS sees the ActAs token come in and properly sets up the output identity so the primary identity is the ActAs token and the caller's identity is added to the Actor chain.
- WCF RP gets the proper token with everything in place, current thread principal has the right identity and claims as should be.
I want the WCF RP to request additional claims from the active STS.
That is, in the RST that goes to the active STS, I want it to include the list of claims that the service requires so those additional claims can be fetched if they're not already present.
I have figued out how to do this by modifying the binding on the web site RP client but I want the requirements to be specified on the WCF RP service end.
I have a feeling it has something to do with the binding I'm using. I had trouble getting ws2007FederationHttpBinding working with ActAs tokens and all of the examples in the WIF Identity Training Kit used customBinding, so I did that, too, and it finally worked. Here is the config snippet from the WCF RP showing my binding configuration:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_FederatedService">
<security
authenticationMode="IssuedTokenForCertificate"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="http://localhost:38901/ActiveSts.svc/IWSTrust13" />
<issuerMetadata address="http://localhost:38901/ActiveSts.svc/mex" />
</issuedTokenParameters>
</security>
<textMessageEncoding>
<readerQuotas maxArrayLength="32767" />
</textMessageEncoding>
<httpTransport />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
If I change the config on the calling web site to indicate claimTypeRequirements in the issuedTokenParameters section, the Active STS actually does see the list of required claims in the RST... but that's on the calling web site, which is problematic for me.
How do I make it so the WCF RP can specify additional claims it requires without having to duplicate that configuration on the calling web site?
If it is, indeed, a binding issue, it would help if you can show me the equivalent configuration given what I've got above. I can update the web site and the WCF service with the appropriate changes, but again, I need the service (or a behavior on the service, or configuration on the service) to control the list of claims it needs. The service should not accept requests that are missing required claims.