Back to Windows Azure Active Directory Solutions er fiji-content-fragment-inner">
<service saveBootstrapTokens="true">
This may introduce security risk as the bootstrap tokens may contain sensitive information that can be used by an attacker if not properly protected.
Identity Flow Through Physical Tiers - ActAs Delegation
Scenario
In this scenario you are developing distributed multi-tier application with ASP.NET web front end and WCF (SOAP) back end. You need to make sure that original user's identity who interacts with the ASP.NET web application will flow through the physical tiers to the back end WCF (SOAP) service. This requirement may come as a result of the need to perform authorization or logging and auditing at the back end WCF service based on the original caller. For example, if Bob accesses the ASP.NET front end web application then his identity should be used to log activities and perform access checks at the back end WCF service. The process of flowing the identity across physical tiers called delegation.- Distributed multi-tier application.
- ASP.NET web front end.
- WCF (SOAP) back end.
- Original user's identity who interacts with the ASP.NET front end web application needs to flow through physical tiers to the back end WCF service.
Solution Approach
Delegation is used to solve this scenario. WIF and AD FS provide building blocks for delegation. AD FS servers as an Identity Provider (IP) that accepts credentials and issues tokens, another AD FS is configured as Claims Provider that validates the original token available the message as ActAs and adds necessary claims. The ASP.NET application uses WCF's CreateChannelActingAs to sent the token to the WCF service which trusts Claims Provider AD FS.- One AD FS instance serves as Identity Provider (IP).
- Another AD FS instance serves as Claims Provider that, configured for delegation and to trust IP instance of AD FS.
- ASP.NET application uses bootstrap token for ActAs token.
- ASP.NET application uses CreateChannelActionAs when communicating with WCF service.
Analysis
ASP.NET application uses bootstrap token for ActAs purposes. To do so it needs to be configured so in the WIF related section of the configuration file, specifically:<service saveBootstrapTokens="true">
This may introduce security risk as the bootstrap tokens may contain sensitive information that can be used by an attacker if not properly protected.
How To's
Code Samples
- Identity Delegation sample in WIF SDK
Resources
- Identity Delegation and Security Context Flow Through Physical Tiers
- Frequently Asked Questions (ActAs and OnBehalfOf section)