How to access AD FS claims by User's credential?

nunu picture nunu · Jun 11, 2012 · Viewed 13.2k times · Source

As I am developing a WCF web service to make an intermediator between user's login action and their active directory roles and permissions. I don't want my host application to directly talk to AD FS. I want any host application to use my web service and it will provided necessary information on the basis of given credential.

In my web method I need to get claims from AD FS (WIF) by user's login credentials.

My web method will have two input parameters, the Window User's Email Id / Windows Account Name and the Password.

So, I want to access AD FS claims in my web method by given user's credential.

How would I get AD FS claims by given user's credential?

Answer

You should perform a web service call to the https://.../adfs/services/trust/13/usernamemixed endpoint of AD FS 2.0 which uses Integrated Windows Authentication, providing the user's credentials so that the connection can be set up. On this endpoint, call the http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue operation. (More details are in section 4.1 of the WS-Trust 1.3 specification.) The input for this operation is a RequestSecurityToken request. The response contains a SAML token containing the claims you require.

Note that the AD FS 2.0 WSDL is avaible at https://.../adfs/services/trust/mex: if you point your Visual Studio Add Service Reference wizard, or your Java wsimport, to that URL then you'll easily generate client code which you can use for performing the RST Issue operation.