How do I do an Active login into windows Azure ACS
Question
I have an Azure ACS set up. I have several IP's configured; one of which is a custom STS. The "passive" scenario - in which browser redirects are used to get the token from the ip to acs and back again to my RP - works like a charm. In the passive scenario it is possible to use the homerealm to "guide" the ACS towards the IP-STS of my choice.
I am wondering now whether something similar is possible in the active scenario. More specifically : can I retrieve a token from ACS by providing a username and a password (and some id of the IP that will handle the user-name password) to ACS.
(I want to keep knowledge about the custom STS out of my clients so I'm not asking the custom STS for a token directly )
2 answers
solution1
0 2012-11-14 20:05:58
The active authentication flow doesn't work exactly that way. The credentials don't go to ACS, but to the IdP directly via a protocol like WS-Trust. For an example of this, take a look at the ACS Federated Authentication sample .
None of the protocols that ACS supports allow the credentials to be ferried through a federation provider in the way you suggest directly (doing so would create an unnecessary security issue as those credentials would be exposed to the FP), but the fact that these creds go to the IdP instead of ACS should be invisible to the end-user.
solution2
0 ACCPTED 2012-12-06 18:26:05
Ok, i found it. I need a two-way process. First request a token on the custom sts using a username and password (with audience set to the correct endpoint of the acs sts). Next "exchange" this token for a token issued by the ACS as in : https://stackoverflow.com/questions/13675217/exchange-ip-sts-jwt-token-for-acs-jwt-toke n
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.