I've started working on building an STS for use in some new product scenarios, and using the wsFederationHttpBinding, and I totally get how that works if the user is supposed to send their username and password to the STS to be authorized.
I'm talking to the STS with a binding like so
<security authenticationMode="UserNameForCertificate" requireDerivedKeys="true" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" requireSecurityContextCancellation="false" requireSignatureConfirmation="false">
and in the client (in this case a web app) I set the credentials thusly
ChannelFactory<IHelloWorldChannel> factory =
factory.Credentials.UserName.UserName = "MyUser";
factory.Credentials.UserName.Password = "MyPassword";
IHelloWorldChannel helloWorldService = factory.CreateChannel();
string response = helloWorldService.HelloWorld("John Doe");
That works great. I validate the users credentials with a custom UserNamePasswordValidator, and everyone is happy. Works just like it's supposed to.
What I'd also like to be able to support is self-issued CardSpace cards. I envision it working like this
Which should mean (again, as I envision it working) that my STS is configured like
<message clientCredentialType="IssuedToken" establishSecurityContext ="false"/>
The part I don't get is what's the equivalent of setting the username and password on the ChannelFactory for CardSpace cards? It seems like there should be some way of presenting the CardSpace token to the STS and having the rest of it work.
Is this just not possible, or am I missing something? Is there another way to make this work? I can get the CardSpace token just fine as far as the web server, but I don't know where to go from there.