Part4: ACS Federation with Sql Server Data Services

Today I will show you how use a token issued by ACS to login into SDS using it’s SOAP API. Again two step process:

Step 1: Get a token from ACS (using UserName/Passoword) for SDS.

 var binding = new WSHttpBinding("userNameForCert");

 //ACS(STS) signing certificate...       

var certData = GetACSCertificate();

//only public key cert. use to secure communication.

var acsCert = new X509Certificate2(certData);

var identity = new X509CertificateEndpointIdentity(acsCert);

var epa = new EndpointAddress(new Uri("http://accesscontrol.windows.net/sts/mssds.com/username for certificate feb2005"), identity); 

var trustVersion = TrustVersion.WSTrustFeb2005;

var clientCredentials = new ClientCredentials();

clientCredentials.UserName.UserName = SolutionUserName;

clientCredentials.UserName.Password = SolutionPassword;

 

WSTrustClient client = new WSTrustClient(binding, epa, trustVersion, clientCredentials);

RequestSecurityToken rst = new RequestSecurityToken(RequestTypeConstants.Issue, KeyTypeConstants.Symmetric);

rst.AppliesTo = new EndpointAddress("https://data.database.windows.net/v1");

RequestSecurityTokenResponse rstr;

var samltok = client.Issue(rst, out rstr);

Here is the binding configuration I used for talking to ACS:

  <binding name="userNameForCert">

    <security mode="Message">

      <message clientCredentialType="UserName" negotiateServiceCredential="false"

        establishSecurityContext="false" />

    </security>

  </binding>

 

Step 2: Forward this token to SDS when creating a new container.

I have generated the SDS proxy (and other classes) by simply doing an “Add Service Reference” from inside visual studio. SDS metadata is exposed at: https://database.windows.net/soap/v1/

 

var sdsBinding = new CustomBinding("sitka");

var sdsClient = new SDS.SitkaSoapServiceClient(sdsBinding,

    new EndpointAddress("https://data.database.windows.net/soap/v1/zurich"));

FederatedClientCredentials.ConfigureChannelFactory(sdsClient.ChannelFactory);

var sdsProxy = sdsClient.ChannelFactory.CreateChannelWithIssuedToken(samltok);

var authorityScope = new SDS.Scope();

authorityScope.AuthorityId = "zamd01";

 

var c1 = new SDS.Container();

c1.Id = "NewContainerId";

sdsProxy.Create(authorityScope, c1);

Console.WriteLine("New container is created...");

 

SDS binding looks like this:

  <binding name="sitka">

    <security authenticationMode="IssuedTokenOverTransport">

      <issuedTokenParameters>

        <issuer address="http://dummy" binding="basicHttpBinding"/>

      </issuedTokenParameters>

    </security>

    <httpsTransport/>

  </binding>

And here is a snapshot of my SDS account highlighting the newly created container.