Delegation using the ActAs approach has some interesting security features
- A security token service can make authorization and validation checks before issuing the ActAs token.
- Combined with proof keys you get non-repudiation features.
- The ultimate receiver sees the original caller as direct caller and can optionally traverse the delegation chain.
- Encryption and audience restriction can be tied down
Most samples out there (including the SDK sample) use the CreateChannelActingAs extension method from WIF to request ActAs tokens. This method builds on top of the WCF binding configuration which may not always be suitable for your situation.
You can also use the WSTrustChannel to request ActAs tokens. This allows direct and programmatic control over bindings and configuration and is my preferred approach.
The below method requests an ActAs token based on a bootstrap token. The returned token can then directly be used with the CreateChannelWithIssued token extension method.
private SecurityToken GetActAsToken(SecurityToken bootstrapToken)
var factory = new WSTrustChannelFactory(
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "middletier";
factory.Credentials.UserName.Password = "abc!123";
var rst = new RequestSecurityToken
AppliesTo = new EndpointAddress(_serviceAddress),
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
ActAs = new SecurityTokenElement(bootstrapToken)
var channel = factory.CreateChannel();
var delegationToken = channel.Issue(rst);