How to access AD FS claims by User's credential?

Question

As I am developing a WCF web service to make an intermediator between user's login action and their active directory roles and permissions. I don't want my host application to directly talk to AD FS. I want any host application to use my web service and it will provided necessary information on the basis of given credential.

In my web method I need to get claims from AD FS (WIF) by user's login credentials.

My web method will have two input parameters, the Window User's Email Id / Windows Account Name and the Password.

So, I want to access AD FS claims in my web method by given user's credential.

How would I get AD FS claims by given user's credential?

Answer 1

You could request a DisplayTokem from the ADFS and work with that, it's basically the same information you have in the token.

public DisplayClaimCollection GetDisplayClaims(string username, string password)
        {
            WSTrustChannelFactory factory = null;
            try
            {

                // use a UserName Trust Binding for username authentication
                factory = new WSTrustChannelFactory(
                    new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    "https://.../adfs/services/trust/13/usernamemixed");

                factory.TrustVersion = TrustVersion.WSTrust13;


                factory.Credentials.UserName.UserName = username;
                factory.Credentials.UserName.Password = password;


                var rst = new RequestSecurityToken
                              {
                                  RequestType = RequestTypes.Issue,
                                  AppliesTo = "Relying party endpoint address",
                                  KeyType = KeyTypes.Symmetric,
                                  RequestDisplayToken = true
                              };

                IWSTrustChannelContract channel = factory.CreateChannel();
                RequestSecurityTokenResponse rstr;
                SecurityToken token = channel.Issue(rst, out rstr);

                return rstr.RequestedDisplayToken.DisplayClaims;
            }
            finally
            {
                if (factory != null)
                {
                    try
                    {
                        factory.Close();
                    }
                    catch (CommunicationObjectFaultedException)
                    {
                        factory.Abort();
                    }
                }
            }
        }

But this is not the proper way of doing it! You should use your RelyingParty certificate to decrypt the encrypted token and read the claims from it.

Answer 2

You should perform a web service call to the https://.../adfs/services/trust/13/usernamemixed endpoint of AD FS 2.0 which uses Integrated Windows Authentication, providing the user's credentials so that the connection can be set up. On this endpoint, call the http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue operation. (More details are in section 4.1 of the WS-Trust 1.3 specification.) The input for this operation is a RequestSecurityToken request. The response contains a SAML token containing the claims you require.

Note that the AD FS 2.0 WSDL is avaible at https://.../adfs/services/trust/mex: if you point your Visual Studio Add Service Reference wizard, or your Java wsimport, to that URL then you'll easily generate client code which you can use for performing the RST Issue operation.