WIF in MVC.net - Adding Additional Claims to SAML Token from Second IP

Question

I've got an MVC.net application that uses an MVC.net identity provider (IP-1) for it's authentication. After a user has logged on, I need to get some additional claims from another application (IP-2). I'm doing this by passing the token back to IP-2, which is able to read the token and add additional claims before generating a new token.

The problem comes when I try to pass the new token to the RP, as the client is already authenticated with the RP, and so the new token and it's claims are ignored.

I think what I'm trying to do is explained below, but I'm also aware that my knowledge of WIF is a bit shaky, so there may be some flaws in my assumptions of how things should work.

My question is, how do I get the RP to re-authenticate using the new token? Also, is there a better way to add the claims without having to recreate the token in the IP-2 application?

Answer 1

To accept a new SAML token you need to clear the session Cookie and then send a new signin request. But......

Sending the SAML Token from IP-1 to the other (IP-2) goes fundamentally against the SAML and WS-Fed designs. The SAML token is meant for the RP. It is not supposed to be sent to anyone else!! If the SAML Token is encrypted for the RP, then IP-2 cannot even read it. And there is (of course) no standard way to add the first token info to the second authentication request.

Cascading (one first, then the other adds claims) is the standard solution. In your case it sounds like redirect through IP-2 to IP-1. IP-1 sets its normal claims. IP-2 adds its claims and then does the final return to the RP.