Share via


Identity Flow Through Physical Tiers - ActAs Delegation

Back to [[Windows Azure Active Directory Solutions For Developers]] 

Scenario

In this scenario you are developing distributed multi-tier application with ASP.NET web front end and WCF (SOAP) back end. You need to make sure that original user's identity who interacts with the ASP.NET web application will flow through the physical tiers to the back end WCF (SOAP) service. This requirement may come as a result of the need to perform authorization or logging and auditing at the back end WCF service based on the original caller. For example, if Bob accesses the ASP.NET front end web application then his identity should be used to log activities and perform access checks at the back end WCF service. The process of flowing the identity across physical tiers called delegation.

  • Distributed multi-tier application.
  • ASP.NET web front end.
  • WCF (SOAP) back end.
  • Original user's identity who interacts with the ASP.NET front end web application needs to flow through physical tiers to the back end WCF service.

Solution Approach

Delegation is used to solve this scenario. WIF and AD FS provide building blocks for delegation. AD FS servers as an Identity Provider (IP) that accepts credentials and issues tokens, another AD FS is configured as Claims Provider that validates the original token available the message as ActAs and adds necessary claims. The ASP.NET application uses WCF's CreateChannelActingAs to sent the token  to the WCF service which trusts Claims Provider AD FS.

  • One AD FS instance serves as Identity Provider (IP).
  • Another AD FS instance serves as Claims Provider that, configured for delegation and to trust IP instance of AD FS.
  • ASP.NET application uses bootstrap token for ActAs token.
  • ASP.NET application uses CreateChannelActionAs when communicating with WCF service.

Analysis

ASP.NET application uses bootstrap token for ActAs purposes. To do so it needs to be configured so in the WIF related section of the configuration file, specifically:
<service saveBootstrapTokens="true">
This may introduce security risk as the bootstrap tokens may contain sensitive information that can be used by an attacker if not properly protected.

How To's

Code Samples

  • Identity Delegation sample in WIF SDK

Resources