WS-Federation and Saml 2.0 Assertion in ADFS 2.0

May 24, 2011 at 3:37 PM


I have this scenario and i'd like to known a better solution for it.

I send my request at ADFS 2.0 for my login and it re-sand me a token saml 1.1 when knows user.

After in my application this user can access to external Web-Services but for access to it he need a token saml 2.0.

Can i convert my token saml 1.1 in token saml 2.0 ??

I read that i can't use token saml 2.0 for my application becouse WS-Federation doesn't support it.

have you other solution??

Please, help me!! 

May 24, 2011 at 8:01 PM

How do you plan to forward the Token to the web Service?

May 25, 2011 at 10:04 PM

I don't known....i believe with sts but can i forward with my application too?? i say better.....can i take my token saml 1.1 and convert it in token saml 2.0 and re-sand at web services??

Excuse me if i send bad question but i'm new in this argument and i want learn it

May 26, 2011 at 7:37 AM

Well - first of all SAML 2.0 with WS-Fed works without a problem. You need to configure that in ADFS2 (i guess via a powershell cmdlet).

"Forwarding" the token means delegation - see the WIF SDK under advanced for a sample for that.

May 27, 2011 at 9:06 AM

Really?? do you say that i can use Saml 2.0 with WS-Fed ?? Where can i find documentation about it?? can you give me a link ?? 

In this way can i realize my scenario ?? thanks for all!!

May 30, 2011 at 7:46 AM

WS-Federation definitely works with SAML 2.0 tokens. Can't find the ADFS configuration switch for it though. Pretty sure it is somewhere.

But for forwarding a token (aka delegation) you need to make a WS-Trust roundtrip to the STS anyways - so you can decide about the token type in the RST.