Working with Resource STS

May 5, 2008 at 12:20 AM
My question is more conceptual than implementation. This is my first foray into security and federation, so forgive me if this question is an obvious one.

I'm thinking of implementing multiple sts's in my security solution; an IP STS and a resource sts. The IP STS is responsible for authenticate only. The Resource STS would populate additional claims, including possibily permission-related claims (CanDeleteCustomers, etc).

Here's my understanding of the process flow between the STS's and the RP

1. RP requires a security token (let's assume SAML to keep it easy).
2. Client sends an RST to the IP STS for the token, along with some user credentials.
3. IP STS Validates the user, fetches requested identity claims (PPID, etc) and ships the RSTR token back
4. Client unwraps the SAML token from the RSTR and presents it to the RP
5. RP validates the token (it's issued from a trusted source), and grants access to the protected resource.
6. At some point additional claim information is required by the RP
7. Client sends a RST to the resource STS , passing the IP Token as creds
8. The Resource STS validates the IP Token (ensure its issued from a trusted source), and fetches the requested claim data.
9. The resource STS prepares an RSTR with the claim data and sends it back to the client.
10. Client unwraps the RSTR and sends the resource SAML token to the RP
11. RP validates the claims are issued from a known issuer and processes the claim values.

If this is wrong, please correct me. I have a few follow up questions.

1)Is the RSTR a wrapper that holds the return SAML token, or is the RSTR actually the SAML Token?How does the client extract the SAML token from the RSTR, isn't in encrypted?
2)What endpoint in the SharpSTS should I be using when communicating with the resource sts? My endpoints choices appear to be UsernamePassword, SelfIssedSAML, and Cert. I didnt see an option for TrustedSAMLToken.
3) What is the best practice for caching the IP SAML Token on the client so it can be included as the crediential for the ISSUE operation on the resource STS?
4) Is there any sample code available that demonstrates how to attach the IP SAML token to the RST request ?

May 5, 2008 at 5:33 AM
Resource STSes aren't a scenario we're looking at right now I'm afraid.

You could try asking on the MSDN cardspace forum;