As a follow up to this post – things have changed a little bit in .NET 4.5. SessionMode is now called ReferenceMode (which is less confusing), and mechanics are slightly different now.
When creating session security tokens manually, you can set the IsReferenceMode property:
var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromHours(8))
{
IsReferenceMode = true // cache on server
};
..and when using the WS-Federation authentication module, you use this technique:
void WSFederationAuthenticationModule_SessionSecurityTokenCreated
(object sender, SessionSecurityTokenCreatedEventArgs e)
{
e.SessionToken.IsReferenceMode = true;
}
HTH
leastprivilege.com 
Dominick, how do you handle situation in where you have MVC4 based web portal that uses data from WebAPI based application. This scenario is interesting in particular:
1. You take username and password on MVC4 application and do service call to WebAPI method that returns ClaimsIdentity
2. You create ClaimsPrincipal from ClaimsIdentity for MVC4 application and use appropriate FederateAuthentication cookie to store ClaimsPrincipal for round-trips
3. For each other request to WebAPI you still need to provide end-user credentials to WebAPI. What is the best practice here?
4. What happens if user identity gets changed on WebAPI by other application? How do you inform MVC4 application that identity has changed and that it should pick up new identity?
I am afraid – I don’t understand that. Why would you do that?
Web portal based on MVC4 is just used as presentational layer. Data from database is served by Web API application to MVC4 web portal and smartphone applications in a same way. Web portal is basically there to serve if end-user does not have smartphone application. Both Web portal and smartphone apps require a method to authenticate/authorize with WebAPI service methods. Does this make any sense to you now?
ok
3) could be replace by a session token, e.g.
https://leastprivilege.com/2012/06/19/session-token-support-for-asp-net-web-api/
4) there is no good solution for that i think
Thank you a lot for your response! :)
I was wondering if there is out-of-the-box solution for this synchronization issue, so if you say there is not one, I’ll take your word as authority on it :)
I had idea about introducing Identity version and I would like your opinion about it. So I’m talking about architecture pattern stated above (you’d be surprised how often that is required for small projects in order to save development time).
So this is how would this scheme work:
1) User submits credentials (username, password) to MVC4 Web / Smartphone app.
2) MVC4 Web / Smartphone app does sends Authorize header to Web API:
Authorize: basic base64(username:password:version)
For initial sign in version would be 0.
3) WebAPI gathers claims for given username/password, and forms identity. This identity would contain a special claim that would provide Identity version. Since sent version in Authorize header is 0, WebAPI would send new token that holds Identity in some custom X-Token header in response.
4) MVC4 / Smartphone app would then extract identity from token and store it in appropriate way.
5) Every subsequent request to WebAPI would again be done with;
Authorize: basic base64(username:password:version)
6) If there has not been a change on identity from some other party, version of request will match version claim, and no header would be generated in response.
7) If however identity has been changed on Web API (by invoking some service that changes one of the claims), Web API would then respond with new token within X-Token header that would contain changed identity.
This of course requires that on the MVC4 / Smartphone side, X-Token has to be listened for.
How would you rate this custom solution?
Again, your opinion is most highly valued :)
Thank you!
Dominick,
Probably, it’s not exactly the same issue… I’ll make a try :)
If user has been authenticated against Identity Server, and MVC 4 application has relevant claims, what will be the recommended way to call external WEB API (that configured to handle IdentityServer SAML)?
Thank you
… and WEB API works with same Identity Server …
Sorry – i am completely snowed under right now. If the problem/question persists please contact me again early next year.
Hai!
Happy New Year.
Is snow now gone?
:)
You could use a similar approach to this:
http://blogs.msdn.com/b/vbertocci/archive/2013/01/09/using-the-jwt-handler-for-implementing-poor-man-s-delegation-actas.aspx