Scenario

In this scenario you are developing distributed multi-tier application with ASP.NET web front end and WCF (SOAP) back end. You need to make sure that original user's identity who interacts with the ASP.NET web application will flow through the physical tiers to the back end WCF (SOAP) service. This requirement may come as a result of the need to perform authorization or logging and auditing at the back end WCF service based on the original caller. For example, if Bob accesses the ASP.NET front end web application then his identity should be used to log activities and perform access checks at the back end WCF service. The process of flowing the identity across physical tiers called delegation.

• Distributed multi-tier application.
• ASP.NET web front end.
• WCF (SOAP) back end.
• Original user's identity who interacts with the ASP.NET front end web application needs to flow through physical tiers to the back end WCF service.

Solution Approach

Delegation is used to solve this scenario. WIF and AD FS provide building blocks for delegation. AD FS servers as an Identity Provider (IP) that accepts credentials and issues tokens, another AD FS is configured as Claims Provider that validates the original token available the message as ActAs and adds necessary claims. The ASP.NET application uses WCF's CreateChannelActingAs to sent the token  to the WCF service which trusts Claims Provider AD FS.

• One AD FS instance serves as Identity Provider (IP).
• Another AD FS instance serves as Claims Provider that, configured for delegation and to trust IP instance of AD FS.
• ASP.NET application uses bootstrap token for ActAs token.
• ASP.NET application uses CreateChannelActionAs when communicating with WCF service.

How To's

• Identity Delegation Scenario

Code Samples

• Identity Delegation sample in WIF SDK

Resources

• Identity Delegation and Security Context Flow Through Physical Tiers
• Frequently Asked Questions (ActAs and OnBehalfOf section)