Demos from my TechEd talks

Security Briefs

Home
Contact

Pluralsight Blogs

Syndication

Keith's books

Misc

Comments

Lieven wrote re: Demos from my TechEd talks

on 06-25-2008 4:38 AM

I enjoyed your session and the code you've made available. You spoke about claims transformation. Don't you need to sign the new claimset you've created? What if a client sends you a saml token with the exact same claims?

thanks

Keith Brown wrote re: Demos from my TechEd talks

on 06-25-2008 7:23 AM

Lieven,

Glad you enjoyed the session. Claims transformation can happen in a lot of places. If it happens external to the application using the claims, e.g. in an STS, the issuer of the new claimset should absolutely sign the claims (WCF has plumbing to produce signed security tokens, which is how we ship around claims).

But if you're doing the claims xform right in your application, there's no need to sign anything; you just use a local identifier for the issuer (I used the "System" claimset in my example). The WCF plumbing that accepts claims from clients won't ever issue a "System" claimset, so as long as you're checking the issuer, you don't need to worry about someone faking your internal claimset.

HTH!

Add a Comment

Name: (required)

Website: (optional)

Comments (required)

Remember Me?

home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation

Demos from my TechEd talks

Pluralsight Blogs

Syndication

Recent Posts

Tags

Keith's books

Misc

Recent Articles

Archives

Comments

Add a Comment