STS, SAML, and AppliesTo (design)
I have somehow managed to get an STS up and running. I now think WCF should have been called WTF. In any case it took me almost a full day and i still don't get all of it - but anyway i managed to have it such that when my webservice is requested and it specifies through wsFederationBinding that it is IssuedTokens and that my STS is contacted passing in UserName and Password (which at STS side is custom validated so it is not windows). The token type is SAML 1.1.
Anyway, this all works a treat (though is not like any sample i've come across except it is a bastardised form of all of them and then some) , my STS gets the WCF created magic token that represents i guess the UsernamePassword thing thats going on, and in return i bang out some extra claims on top of that by way of return. It is this token by way of return which then makes its way into my webservice wherein i can inspect my claims from my very own trusted STS.
Great stuff, it all works - somehow! :-)
Ok - but here is the niggle. There is this AppliesTo property which knows the url of the webservice being requested such that i guess this token "AppliesTo" only my webservice. Now that is pants. I wanted my token so that i could use it across my sites that trust the STS. It doesn't apply to just this service - this token applies to any of my services.
I imagine (though haven't yet checked) i can cache this same token on the client and use it in other calls to other services of mine which also trust the same STS, in fact - this is precisely what i intend to do, but still the niggle is that if this is a normal use case why on earth is my AppliesTo (if cached) listing the service which it was initially created in response to. It just doesn't seem right - it's uncalled for - and it's not nice. :-)
Surely there is some more repsentational form of the AppliesTo (and also if there is how do i hook into this as it seems this came across from some auto code in the client proxy) that is more proper. Something like AppliesTo="*". That more befits a proper token - after all - the token applies to anyone who can read it and its claims - which would be mighty hard to do if you didn't have the certificate.
I can imagine that knowing the AppliesTo might indicate the claims i might wish to make from my STS which are relevant to the service being called in some scenarios, so fair enough on that one, but how do i reply with a token that says this token Applies to everyone so deal with it service(s).
Anyone understand what the hell i am on about here?
Cheers
B
P.S WCF?, SAML?, STS? I've sh1t em!
