STS Sample "Federated Security" on wcf.netfx3.com
Hi,
I've got this Federated Security sample running (http://wcf.netfx3.com/files/folders/authorization/entry1954.aspx ) and I would like to make an additional client application.
This second client is a copy of the "Client" application included in the sample however this copy will be running in-house "at Woodgrove" rather than "at Fabrikam". This copy needs to work when the Fabrikam STS is unreachable (not running)
When I use SvcUtil, I get a config file that is for running a client from Fabrikam and I'm not sure how to generate (or change) the file to get the "at woodgrove" behavior.
This seems to be a good sample for fedration and STS.
After getting the bindings correct, my "Woodgrove client" would give "Access denied" exceptions.
A little digging showed that the AuthorizationPolicy.cs in the FabrikamSTS was adding the Role claims that allowed access to the "Resources". The Woodgrove STS was picking up and passing along the roles. I changed the AuthorizationPolicy.cs in Woodgrove to add the roles that would allow access.
Hi Andrew. Can I ask how you want to login with your Fabrikam card when the Fabrikam STS is unreachable? In order to submit a managed identity token to a Relying Party (RP), the managed IP's STS must be accessible.
Could you provide a brief description of the scenario you're trying to build out?
The scenario was to have an additional client application that ran at Woodgrove and used the service provided by Woodgrove.
This Woodgrove client should not need to contact the Fabrikam STS in order access something at Woodgrove should it?
"This Woodgrove client should not need to contact the Fabrikam STS in order access something at Woodgrove should it?"
Not necessarily
Windows Integrated Authentication probably provides a better solution here since you're inside the corporate firewall, using a corporate machine whcih can be protected with IPSec etc., and for which a user doesn't necessarily need to provide additional credentials once they've logged into the machine.
If, however, your security is lax and users share a logged-in machine, then you need to differentiate between users and force users to identify themselves each time they access the systems. In which case, CardSafe, along with a managed card backed with an X509 cert carried on the employees smartcard could be a great solution.
