Authenticate user of web service via ADFS

Question

I was hoping that someone could confirm my understanding (or lack thereof.) of ADFS with respect to WCF.

I've even drawn a pretty diagram.

"Bob" uses a web app, which is hosted on Client's domains. Client authenticates Bob via AD. However the web app uses a WCF service developed and hosted on Supplier.

There has been trust established between Client and Supplier.

My question - when the Web App uses the WCF Service, I would like the WCF service to re-authenticate "Bob", and the WCF service can then use the Claims returned by the ADFS server which is on the client.

Is this picture right?

Answer 1

Almost. Move the arrows between the Web service and ADFS (the IP-STS) to be between the Web app and ADFS. Then, the "Bob" that it will send to the Web service is a token that is signed by ADFS containing claims about Bob. The Web service will check this signature, and, if it matches, the claims will be considered trustworthy.

Typically, for cross orgranizational use cases like this, the supplier would also have an STS (an RP-STS). Trust would be established between the STSs. Then, local applications (eg, the Web app and service in this drawing) only need to trust their local STS. This avoids a fully connected graph of trust relationships.

HTH!