SAML 2.0 tokens and WIF – bridging the divide

Background We all know the following limitations about Windows Identity Foundation (WIF) and passive (browser) federation protocols, right? WIF does not support SAML2.0 protocol (SAML2P) There is a WIF extension out there to support SAML2P but it is a technology preview WIF does support SAML2.0 (SAML2) tokens WS-Federation conveys SAML1.1 tokens Therefore, unless you use…

5

Access to an ASP.NET website via multiple authentications

Background Is it possible to secure a website using Windows Identity Foundation (WIF) without interfering with an existing authentication method? e.g. – Could a website secured using an ASP.NET membership provider, with all the code and configuration that entails, be layered with additional code and configuration to allow a precursory authentication with a trusted Identity…

2

Claims to Windows Token Service keeps entering disabled state

On a recent project I was tasked with securing an ASP.NET MVC site using ADFS. There was also a requirement to flow the end-user identity down through the various tiers, necessitating the use of Kerberos Constrained Delegation (KCD). In order to achieve KCD, the SAML assertion returned from ADFS must first be converted to a…

2

Handling optional claims with the ADFS Claims Rule Language

It is a perfectly normal scenario for claims to be optional in a token. For example, a SAML assertion may contain the mandatory claims: http://www.contoso.com/claims/givenname http://www.contoso.com/claims/surname and optionally the claim: http://www.contoso.com/claims/dateofbirth The ADFS Claims Rule Language is designed to allow claims from incoming tokens to be used to query data stores for additional claims. At…

2