Zulfiqar's weblog

Architecture, security & random .Net

Part3: Explicit ACS federation

Posted by zamd on February 4, 2009

In last post, I have shown you how to federate ACS with a custom STS. All the token acquisition (from my local STS) and forwarding (to ACS) magic was done by WSFederationHttpBinding and you never see the intermediate token (issued by your local STS). There are scenarios where you want more explicit control over this intermediate token. In this post I will show some techniques to get hold of this intermediate token and thus control its lifetime & forwarding etc.

Step 1: Get the token from our local STS.

private static SecurityToken GetTokenFromLocalSTS()


    var localSTSBinding = new WSHttpBinding("AnnonyForCertificate");


    //only public key cert. use to secure communication.

    var localSTSCert = new X509Certificate2(@"MyCustomSTSPublicKey.cer");

    var localSTSIdentity = new X509CertificateEndpointIdentity(localSTSCert);

    var localSTSAddress = new EndpointAddress(new Uri("http://localhost:9000/STS"), localSTSIdentity);


    WSTrustClient client = new WSTrustClient(localSTSBinding, localSTSAddress,TrustVersion.WSTrustFeb2005, new ClientCredentials());

    RequestSecurityToken rst = new RequestSecurityToken(RequestTypeConstants.Issue);

    rst.AppliesTo = new EndpointAddress("http://accesscontrol.windows.net/sts/eval01/saml for certificate/");



    RequestSecurityTokenResponse rstr;

    var token = client.Issue(rst, out rstr);


    return token;


My local STS is configured to issue token to all annonymous callers. Here is the binding:

<binding name="AnnonyForCertificate">

  <security mode="Message">

    <message clientCredentialType="None" negotiateServiceCredential="false" establishSecurityContext="false"/>



Step 2: Forward this token to ACS along with Issue request.


private static void FederateMyCustomSTS With ACS()


    var intermediateToken = GetTokenFromLocalSTS();


    // we got token from my our local STS. Forward this token to ACS with Issue request

    var acsCert = GetACSCertificate();

    var acsIdentity = new X509CertificateEndpointIdentity(acsCert);

    var acsAddress = new EndpointAddress(new Uri("http://accesscontrol.windows.net/sts/eval01/saml for certificate"), acsIdentity);


    var acsBinding = new CustomBinding("AnySamlForCertificate");


    var acsClient = new WSTrustClient(acsBinding, acsAddress, TrustVersion.WSTrust13, new ClientCredentials());

    acsClient = acsClient.SetIssuedToken(intermediateToken);


    RequestSecurityToken rstACS = new RequestSecurityToken(RequestTypeConstants.Issue);

    rstACS.AppliesTo = new EndpointAddress("http://zamd.net/&quot;);


    var finalToken = acsClient.Issue(rstACS) as GenericXmlSecurityToken;


    // dump SAML.

    var rpCert = new X509Certificate2(@"zamdnetprivatekeycert.pfx", "a");

    var saml = ExtractSAMLAssertion(finalToken, rpCert);


The ACS binding is as follows:

<binding name="AnySamlForCertificate">

  <security authenticationMode="IssuedTokenForCertificate"




      <issuer address="http://dummy" binding="basicHttpBinding"/>





With the above code I get back following SAML assertion (containing only one claim).

<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">




      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

        <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />



            <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">



                  <X509IssuerName>CN=Root Agency</X509IssuerName>













  <saml:Attribute AttributeName="action" AttributeNamespace="http://docs.oasis-open.org/wsfed/authorization/200706/claims">

    <saml:AttributeValue>that’s done</saml:AttributeValue>




I hope you will find this post useful. In the next post, I will show how to federate ACS with Geneva Server.  Stay tuned…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: