.NET Framework Bookmark and Share   
 index > Claims based access platform (CBA), code-named Geneva > ActAs vs. OnBehalfOf
 

ActAs vs. OnBehalfOf
Could someone please explain to me the difference between the ActAs and OnBehalfOf properties on FederatedClientCredentialsParameters, or the CreateChannelActingAs and CreateChannelOnBehalfOf methods on ChannelFactory<T>?

Thanks,
Scott

Scott Brady

Short Answer: ActAs is intended to be used for identity delegation scenarios. OnBehalfOf is intended to be used for STS proxy scenarios.

Long Answer:

ActAs scenario -
1. Client authenticates to middle tier service using some token, T1.
2. Middle tier services authenticates to STS with its own token, T2, presenting T1 in the RST body as an ActAs element.
3. STS issues a token, T3, containing claims based on both T1 and T2.
4. Middle tier service presents T3 to backend service, hence 'acting as the client', backend service can see both sets of claims.

OnBehalfOf scenario -
1. Client authenticates to STS proxy using some token, T1, which is a front end for an STS sitting behind a firewall for example.
2. STS proxy forwards the request to the backend STS, presenting T1 in the RST body as an OnBehalfOf element.
3. STS issues a token, T2, that contains claims based only on T1.
4. STS proxy forwards this returned token back to client.
5. Client uses T2 to authenticate to some service which trusts the STS.

You can imagine a composite scenario where there is both an STS proxy and a middle tier service, hence its very possible to combine both concepts.

Shiung Yong - MSFT

Short Answer: ActAs is intended to be used for identity delegation scenarios. OnBehalfOf is intended to be used for STS proxy scenarios.

Long Answer:

ActAs scenario -
1. Client authenticates to middle tier service using some token, T1.
2. Middle tier services authenticates to STS with its own token, T2, presenting T1 in the RST body as an ActAs element.
3. STS issues a token, T3, containing claims based on both T1 and T2.
4. Middle tier service presents T3 to backend service, hence 'acting as the client', backend service can see both sets of claims.

OnBehalfOf scenario -
1. Client authenticates to STS proxy using some token, T1, which is a front end for an STS sitting behind a firewall for example.
2. STS proxy forwards the request to the backend STS, presenting T1 in the RST body as an OnBehalfOf element.
3. STS issues a token, T2, that contains claims based only on T1.
4. STS proxy forwards this returned token back to client.
5. Client uses T2 to authenticate to some service which trusts the STS.

You can imagine a composite scenario where there is both an STS proxy and a middle tier service, hence its very possible to combine both concepts.

Shiung Yong - MSFT
Hi Shiung,

I am not clear about the step 3 of "ActAs" scenario. It says that "STS issues a token, T3, containing claims based on both T1 and T2.". So what is the format of T3 ? If it is a SAML Token, how are we going to represent the claims of both T2 and T3. Is there any standard or specification about the format of these tokens ?, otherwise interoperability might be a nightmare in this scenario.

Thanks.
/thilina

thilinamb

You can use google to search for other answers

Custom Search

More Threads

• MSIS7006: The single sign on token is not valid
• Keyset does not exist
• Proxy STS in DMZ
• Add FaultContract to Geneva
• Is there a way to convert active token to passive token?
• Multi-auth and WCF configuration
• Install Certificate to LocalMachine certification store from ASP.NET
• How can I 'EXCLUDE' `anonymous-namespace' when using vsinstr.exe to intrument my executable?
• Installing in a clean VM
• Generating display claims, beta2 changes?
Home          Copyright 2009-2010 by netframeworkdev.com All rights reserved