Jiandong Guo

In the previous blog, I gave an overview on how to handle
token parameters and requirements at run time on the client side.

While it is more or less straight forward with TokenType. KeyType,
etc., it requires extra effort for managing Claims requirement at run time:

1. Claims are defined as an extensible element in the WS-SecurityPolicy spec:

  <wst:Claims Dialect=”http://schemas.xmlsoap.org/ws/2005/05/identity”
     xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
  </wst:Claims>

It is up to the applications and profiles of WS-Trust to define the content
of the Claims. So you need to implement com.sun.xml.ws.api.security.trust.Claims
to manage claims in your environment. Here is a sample
for managing claim types of the following form:

  <wst:Claims Dialect=”http://schemas.xmlsoap.org/ws/2005/05/identity”
     xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
     xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
     <ic:ClaimType
       Uri=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality”/>
     <ic:ClaimType
       Uri=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role”/>
   </wst:Claims>

2. Make run time requirement for claim types on the client side:

Using STSIssuedTokenFeature with STSIssuedTokenConfiguration.
Check out some sample code here.

3. If you you are using Metro based STS, you can obtain the claim types and
provide the user attributes accordingly in your custom STSAttributeProvider.
Here is an example.