Zulfiqar's weblog

Architecture, security & random .Net

Part4: ACS Federation with Sql Server Data Services

Posted by zamd on February 11, 2009

Today I will show you how use a token issued by ACS to login into SDS using it’s SOAP API. Again two step process:

Step 1: Get a token from ACS (using UserName/Passoword) for SDS.

 var binding = new WSHttpBinding(“userNameForCert”);

 //ACS(STS) signing certificate…       

var certData = GetACSCertificate();

//only public key cert. use to secure communication.

var acsCert = new X509Certificate2(certData);

var identity = new X509CertificateEndpointIdentity(acsCert);

var epa = new EndpointAddress(new Uri(http://accesscontrol.windows.net/sts/mssds.com/username for certificate feb2005”), identity); 

var trustVersion = TrustVersion.WSTrustFeb2005;

var clientCredentials = new ClientCredentials();

clientCredentials.UserName.UserName = SolutionUserName;

clientCredentials.UserName.Password = SolutionPassword;


WSTrustClient client = new WSTrustClient(binding, epa, trustVersion, clientCredentials);

RequestSecurityToken rst = new RequestSecurityToken(RequestTypeConstants.Issue, KeyTypeConstants.Symmetric);

rst.AppliesTo = new EndpointAddress(https://data.database.windows.net/v1”);

RequestSecurityTokenResponse rstr;

var samltok = client.Issue(rst, out rstr);

Here is the binding configuration I used for talking to ACS:

  <binding name=userNameForCert>

    <security mode=Message>

      <message clientCredentialType=UserName negotiateServiceCredential=false

        establishSecurityContext=false />




Step 2: Forward this token to SDS when creating a new container.

I have generated the SDS proxy (and other classes) by simply doing an “Add Service Reference” from inside visual studio. SDS metadata is exposed at: https://database.windows.net/soap/v1/


var sdsBinding = new CustomBinding(“sitka”);

var sdsClient = new SDS.SitkaSoapServiceClient(sdsBinding,

    new EndpointAddress(https://data.database.windows.net/soap/v1/zurich&#8221;));


var sdsProxy = sdsClient.ChannelFactory.CreateChannelWithIssuedToken(samltok);

var authorityScope = new SDS.Scope();

authorityScope.AuthorityId = “zamd01”;


var c1 = new SDS.Container();

c1.Id = “NewContainerId”;

sdsProxy.Create(authorityScope, c1);

Console.WriteLine(“New container is created…”);


SDS binding looks like this:

  <binding name=sitka>

    <security authenticationMode=IssuedTokenOverTransport>


        <issuer address=http://dummy binding=basicHttpBinding/>





And here is a snapshot of my SDS account highlighting the newly created container.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: