Exercise 2: Accepting Tokens from an Active Directory Federation Services (ADFS) STSIn this exercise, you will modify the service from the previous exercise for accepting tokens from an existing Active Directory Federation Services (ADFS) STS. You can expect this to be by far the most common scenario in which you will take advantage of an STS: Windows Identity Foundation makes this task very easy, thanks to its integration with Visual Studio and the use of federation metadata. Note that in a real world scenario this task would require two steps:
The current exercise focuses on the first step: the second step is unnecessary in our case. In order to make the lab more agile, we will take advantage of an instance of Active Directory Federation Services (ADFS) that is available through the Internet. Such an instance has been pre-provisioned with the data of the RP being used in this lab; hence, it will start issuing tokens for us as soon as we will request them. For this reason, it is of key importance that the application URI and the certificates will follow exactly what is specified in the lab instructions.
Figure 11
Invoking WeatherStationService with a token obtained from federatedidentity.net Task 1 - Modifying the Service to Accept Tokens Issued by an STS Published via Active Directory Federation Services (ADFS)
Task 2 - Modifying the Client in Order to Secure Calls to the Service via Issued Token
Task 3 - Using Claims for Authorizing the Service Call
Note:
In exercise 1, we used MyClaimsAuthorizationManager, a class in the Windows Identity Foundation SDK sample collection, to impose that only calls containing a certain claim type instance (username in our case) with a certain claim value should be allowed to successfully take place.
However, claims have much more expressive power and can describe much more than the classic username, roles and attributes; claims can be used to achieve things that would have been impossible with traditional approaches. One simple example uses claims to express attributes that have non-string values, such as dates (date of birth, expiration date, etc), numbers (spending limit, weight, etc) or even structured data. This data can be processed using criteria that are more sophisticated than the simple existence check (for example, the user has claims A with value X, or he does not): one example of such a criteria would be imposing that all the users of the web service should be older than 21. We already examined how MyClaimsAuthorizationManager leverages the CheckAccess method for embedding the existence check logic: here we will go one step further and write our own derivation of the ClaimsAuthorizationManager, implementing an engine capable of evaluating the age check described above.
Exercise 2: VerificationIn order to verify that you have correctly performed all steps in the exercise, proceed as follows:
|
DownloadsDownload The Offline Training Kit Contents |