SAML based authentication

The DCS message bus supports the WS-Trust protocol to authenticate user requests. The WS-Trust specification defines methods for issuing and validating security tokens, and provides support for implementing brokered authentication.

The Token Issuer Service provided with DCS implements a security token service (STS) that follows the WS-Trust specification. It can authenticate users and issue Secure Application Markup Language (SAML) tokens containing authenticated claims. An administrator can configure the security policy for a DCS service to authenticate requests by using the Token Issuer Service provided with DCS, or by using third-party STS.

By default, the STS (in the Token Issuer Service) authenticates a user by using account information in Active Directory. If the user is currently logged on to the same domain as that used by the Token Issuer Service, the STS uses Kerberos authentication. If the user is not logged on to the same domain, an administrator can configure the STS to authenticate the user by exchanging digital certificates. The Token Issuer Service implements a customizable model for generating SAML tokens, and a developer can build a custom claim provider to validate the claims for a client application. For more information, see CCF 2009 SP1 DevelopmentGuide.

See Also

CCF Security Extensions