How to access AD FS claims by User's credential?

Question

As I am developing a WCF web service to make an intermediator between user\'s login action and their active directory roles and permissions. I don\'t want my host applicatio

Answer 1

You should perform a web service call to the https://.../adfs/services/trust/13/usernamemixed endpoint of AD FS 2.0 which uses Integrated Windows Authentication, providing the user's credentials so that the connection can be set up. On this endpoint, call the http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue operation. (More details are in section 4.1 of the WS-Trust 1.3 specification.) The input for this operation is a RequestSecurityToken request. The response contains a SAML token containing the claims you require.

Note that the AD FS 2.0 WSDL is avaible at https://.../adfs/services/trust/mex: if you point your Visual Studio Add Service Reference wizard, or your Java wsimport, to that URL then you'll easily generate client code which you can use for performing the RST Issue operation.

Answer 2

You could request a DisplayTokem from the ADFS and work with that, it's basically the same information you have in the token.

public DisplayClaimCollection GetDisplayClaims(string username, string password)
        {
            WSTrustChannelFactory factory = null;
            try
            {

                // use a UserName Trust Binding for username authentication
                factory = new WSTrustChannelFactory(
                    new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    "https://.../adfs/services/trust/13/usernamemixed");

                factory.TrustVersion = TrustVersion.WSTrust13;


                factory.Credentials.UserName.UserName = username;
                factory.Credentials.UserName.Password = password;


                var rst = new RequestSecurityToken
                              {
                                  RequestType = RequestTypes.Issue,
                                  AppliesTo = "Relying party endpoint address",
                                  KeyType = KeyTypes.Symmetric,
                                  RequestDisplayToken = true
                              };

                IWSTrustChannelContract channel = factory.CreateChannel();
                RequestSecurityTokenResponse rstr;
                SecurityToken token = channel.Issue(rst, out rstr);

                return rstr.RequestedDisplayToken.DisplayClaims;
            }
            finally
            {
                if (factory != null)
                {
                    try
                    {
                        factory.Close();
                    }
                    catch (CommunicationObjectFaultedException)
                    {
                        factory.Abort();
                    }
                }
            }
        }

But this is not the proper way of doing it! You should use your RelyingParty certificate to decrypt the encrypted token and read the claims from it.