If the token is generated by a Managed Card provider, the
certi?¬?cate used to sign the token must be veri?¬?ed to match the
certi?¬?cate of the expected issuer. The certi?¬?cate of the issuer is
acquired out of band and should be stored on the server
that hosts the Web service.
Processing Claims
After the issuer identity has been processed, the claims in the
token should be used to further authenticate the user or authorize
their access to a resource. The claims of a user can be accessed
by the AuthenticationContext WCF object. The
AuthenticationContext object can be accessed directly within
the service, as shown in the following listing.
To accept Personal
Cards, all RSA keys
need to be allowed
After the token is
validated, the
claims it contains
can be used
CardSpace and Windows Communication Foundation 261
AuthorizationContext context =
OperationContext.Current.ServiceSecurityContext.
AuthorizationContext;
foreach (ClaimSet claimSet in
context.ClaimSets)
{
foreach (Claim claim in claimSet)
{
Console.WriteLine("claim.Resource");
Console.WriteLine("claim.ClaimType");
}
}
The claims can then be used to perform any desired checks.
Additional Policy Options
As pointed out, the policy options used by the browser extension
can also be set in a WCF con?¬?guration ?¬?le.
Pages:
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390