Windows Identity Foundation (WIF) – The Difference Between ActAs and OnBehalfOf

Reading several resources (Vittorio’s book, ActAs vs. OnBehalfOf, Identity Delegation Scenario, Frequently Asked Questions) here is my understanding about ActAs and OnBehalfOf:

• ActAs and OnBehalfOf are defined in WS-Trust 1.4 but WIF supports it although in general WIF supports WS-Trust versions 1.3 and 2005.
• OnBehalfOf is for impersonation. Final recipient has no clue about the original requestor.
• ActAs is for delegation. Final recipient has details about immediate client and the original requestor.
• Use CreateChannelActingAs on the client to send ActAs (delegation) to the service.
• Use CreateChannelOnBehalfOf on the client to send OnBehalfOf (impersonation) to the service.
• Actor property of IClaimsIdentity holds the original caller, and it implements IClaimsIdentity too, so Actor could be nested in case of chained delegation.

Use Identity Delegation code sample available in Windows Identity Foundation SDK as an example how to use ActAs. From the Readme file:

The purpose of this sample is to show how to build identity delegation into a simple distributed service by using ActAs functionality. This project contains a mix of passive and active Security Token Services (STSs). The STSs issue SAML 1.1 tokens. The service projects are console based and the client is a browser.

More Info

• Identity Delegation and Security Context Flow Through Physical Tiers
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Azure AppFabric Access Control Service 2.0 Documentation
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul
• Windows Identity Foundation (WIF) Questions & Answers