Pass-through SAML tokens & Secure Conversation (Part1)
Let’s say you have implemented federated security and now you have bunch of services all of them requires a token from a trusted STS to provide any service. Now some of these services are logically part of same security realm but are still distinct entities. To optimize performance, you probably want to do some short circuiting so that when a user presents a token (issued by trusted STS) to one of these services – then this frontend service should simply be able to forward this incoming token to backend services within its logical security boundary (akin to trusted delegation). Here is a diagrammatic view.
On the surface, this sounds like a simple scenario which can be implemented as:
· Reach into incoming service security context
· Extract the incoming token
· Pass it on to backend service
The trouble here is: wsFederationHttpBinding wisely uses secure conversation, to avoid token acquisition overhead for each call. Due to this optimization, we never get to see the actual bootstrap token (token used to establish secure conversation session) inside our service methods.
In the next post, I will show you how to extend WCF security framework to enable this scenario?
At a very high level, we need to hook into secure conversation handshake, extract the incoming SAML token and save it somewhere for future use.