Provide required claims to IP/STS

Mar 6, 2012 at 6:21 AM

Hi there

Congratulations for this great book. I use WIF within a few projects for web application SSO. I like the approach of claims based access control. Therefore I started something similar for the Java world too as described here:

Right now, I'm working on extensions for home-realm discovery and the support for publishing metadata documents in the Java based RP.

Imagine that you have deployed an RP-STS and IP-STS. The IP-STS is a B2B partner which access different applications in our company. Each application has its own set of required claims which must be added to the SAML token issued by the RP-STS. These required claims has an impact on the claims the IP-STS must provide but the RP-STS has only one Federation Metadata document which should be valid for all applications (RP). The redirect triggered by RP-STS to the IP-STS sets its URI for The wtrealm parameter and not of the RP itself. Therefore, the IP-STS doesn't know which application the user wants to access.

What am I missing?

Thanks for your feedback


Apr 9, 2013 at 8:42 AM
Hi there
Do you have an update on this?
Thanks oli
Apr 9, 2013 at 3:23 PM
Are you setting the context (wctx) before redirecting? The wctx should be preserved at each point in the federation dance (when redirecting, when posting RSTR to web app).

Note, you can use an arbitrary query string when accessing your single metadata document to influence required/emitted claims.
Apr 15, 2013 at 9:38 AM
I know what you mean that each redirecting IDP must keep the value of wctx and send it in the POST again. But this is not the issue I'm facing. The issue is the IP-STS doesn't know for which application a token should be issued. Example: a B2B partner accesses two applications in your environment. These two applications need a different set of claims like:
Application A: firstname, lastname, role [USER, ADMIN]
Application B: email, role [USER, MANAGER, AE, ADMIN]

The role depends on the application as each application has its own set of roles. The roles are managed in the B2B partner's IDM. The question now is that the RP-STS must tell the IP-STS the application which is usually done in the wtrealm parameter. The spec is not very clear whether you must set the wtrealm parameter to a value identifying your IDP or whether you can pass application specific URIs in wtrealm in such cases.

How does ADFS handle this use case?