We use federation scenario in two modes �one using only WCF WS bindings and other

using WSTrustClient for obtaining tokens directly (for HTTPS communications with non WS (HTTP) proxy server).

In the simplest case ActiveClient->CustomSTS->RP all is fine but there are cases when we have troubles with WSTrustClient

whereas only WCF WS bindings work as expected.

1 Case: ActiveClient->GenevaServerSTS->CustomSTS->RP

If WSTrustClient is configured to call CustomSTS with FederationBinding to GenevaServer, it asks the GenevaServer for tokens using scope of RP that is unexpected. In WCF only scenario (FederationBinding to RP that itself is federated with GenevaServer) the GenevaServer is asked for token using scope of CustomSTS, as expected.

As a workaround we can extend the WSTrustClient, override its CreateChannel method, directly ask Geneva Server for tokens using scope of CustomSTS and then create channel to CustomSTS using received token (CreateChannelWithIssuedToken), but this solution seems quite cumbersome.

2 Case (delegation):ActiveClient-> CustomSTS->RP1->CustomSTS->RP2

With WCF only bindings all is fine. We extract token from security context of RP1 and then call RP2 using CreateChannelActingAs with this token.

But we have no any idea how to use the WSTrustClient in RP1 to directly obtain token from CustomSTS for RP2, using existing one (ActAs).

It seems that using of CreateChannelActingAs in the WSTrustClient is not applicable (

"ID3242: The security token could not be authenticated or authorized." security exception)

In both cases (WCF/WSTrustClient) connection RP1->CustomSTS is provided by WSHttpBinding with certificate as client credentials.

Having lost hope for the answer I had looked into WSTrustSerializationHelper and tried to create 'SecurityTokenElement' in other way:
Using 'Microsoft.IdentityModel.Tokens.SecurityTokenSerilizerAdapter' with default 'Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection' I serialized SamlSecurityToken into xml string, then converted it into xml DOMand constructed'SecurityTokenElement' from DocumentElement andsame default token handler collection.And unmodifed WSTrustClientwith RequestSecurityToken.ActAs being assigned to my SecurityTokenElement starts to work as expected!
Thanks!

Hi Todd!
Thank you for your reply!
I am sorry for delay in my reply - I was on vacations.
2 case:
CreateChannelActingAs in the WSTrustClient in fact works without security exception (it was my bug), butGetOutputClaims methodof the CustomSTS receives RequestSecuriyToken parameterwith field ActAs equal to null. An attempt to keep WSTrustClient unmodified andset RequestSecurityToken.ActAs, as you recommended,leads to following exception:

at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollectionManager.get_Item(String usage)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteRSTXml(XmlWriter writer, String elementName, Object elementValue, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.WriteXmlElement(XmlWriter writer, String elementName, Object elementValue, RequestSecurityToken rst, WSTrustSerializationContext context)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteKnownRequestElement(RequestSecurityToken rst, XmlWriter writer, WSTrustSerializationContext context, WSTrustRequestSerializer requestSerializer, WSTrustConstantsAdapter trustConstants)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.WriteKnownRequestElement(RequestSecurityToken rst, XmlWriter writer, WSTrustSerializationContext context)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.WriteRequest(RequestSecurityToken rst, XmlWriter writer, WSTrustSerializationContext context, WSTrustRequestSerializer requestSerializer, WSTrustConstantsAdapter trustConstants)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.WriteXml(RequestSecurityToken request, XmlWriter writer, WSTrustSerializationContext context)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustRequestBodyWriter.OnWriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BodyWriter.WriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BodyWriterMessage.OnWriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.Message.WriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Security.SecurityAppliedMessage.WriteBodyToSignThenEncryptWithFragments(Stream stream, Boolean includeComments, String[] inclusivePrefixes, EncryptedData encryptedData, SymmetricAlgorithm algorithm, XmlDictionaryWriter writer)
at System.ServiceModel.Security.WSSecurityOneDotZeroSendSecurityHeader.ApplyBodySecurity(XmlDictionaryWriter writer, IPrefixGenerator prefixGenerator)
at System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message)
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst)

TheSecurityTokenElement for RequestSecurityToken.ActAs I create directly using SamlSecurityToken - probably I am not correct here.
Could you please help me?
Thank you!
Dmitry.

Having lost hope for the answer I had looked into WSTrustSerializationHelper and tried to create 'SecurityTokenElement' in other way:
Using 'Microsoft.IdentityModel.Tokens.SecurityTokenSerilizerAdapter' with default 'Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection' I serialized SamlSecurityToken into xml string, then converted it into xml DOMand constructed'SecurityTokenElement' from DocumentElement andsame default token handler collection.And unmodifed WSTrustClientwith RequestSecurityToken.ActAs being assigned to my SecurityTokenElement starts to work as expected!
Thanks!