Geeks With Blogs

News This is the *old* blog. The new one is at
Elton Stoneman
This is the *old* blog. The new one is at

WIF with SAML is solid and flexible, but unless you need the power, it can be overkill for simple claim assertion, and in the REST world WIF doesn’t have support for the latest token formats.  Simple Web Token (SWT) may not be around forever, but while it's here it's a nice easy format which you can manipulate in .NET without having to go down the WIF route.

Assuming you have set up a Relying Party in ACS, specifying SWT as the token format:


When ACS redirects to your login page, it will POST the SWT in the first form variable. It comes through in the BinarySecurityToken element of a RequestSecurityTokenResponse XML payload , the SWT type is specified with a TokenType of :

<t:RequestSecurityTokenResponse xmlns:t="">


    <wsu:Created xmlns:wsu="">2012-08-31T07:31:18.655Z</wsu:Created>

    <wsu:Expires xmlns:wsu="">2012-08-31T09:11:18.655Z</wsu:Expires>


  <wsp:AppliesTo xmlns:wsp="">

    <EndpointReference xmlns="">





    <wsse:BinarySecurityToken wsu:Id="uuid:fc8d3332-d501-4bb0-84ba-d31aa95a1a6c" ValueType="" EncodingType="" xmlns:wsu="" xmlns:wsse=""> [ base64string ] </wsse:BinarySecurityToken>






Reading the SWT is as simple as base-64 decoding, then URL-decoding the element value:

    var wrappedToken = XDocument.Parse(HttpContext.Current.Request.Form[1]);

    var binaryToken = wrappedToken.Root.Descendants("{}BinarySecurityToken").First();

    var tokenBytes = Convert.FromBase64String(binaryToken.Value);

    var token = Encoding.UTF8.GetString(tokenBytes);

    var tokenType = wrappedToken.Root.Descendants("{}TokenType").First().Value;

The decoded token contains the claims as key/value pairs, along with the issuer, audience (ACS realm), expiry date and an HMAC hash, which are in query string format. Separate them on the ampersand, and you can write out the claim values in your logged-in page:

    var decoded = HttpUtility.UrlDecode(token);

    foreach (var part in decoded.Split('&'))


        Response.Write("<pre>" + part + "</pre><br/>");


- which will produce something like this: Audience=http://localhost/x.y.z

The HMAC hash lets you validate the token to ensure it hasn’t been tampered with. You'll need the token signing key from ACS, then you can re-sign the token and compare hashes. There's a full implementation of an SWT parser and validator here: How To Request SWT Token From ACS And How To Validate It At The REST WCF Service Hosted In Windows Azure, and a cut-down claim inspector on my github code gallery: ACS Claim Inspector.

Interestingly, ACS lets you have a value for your logged-in page which has no relation to the realm for authentication, so you can put this code into a generic claim inspector page, and set that to be your logged-in page for any relying party where you want to check what's being sent through. Particularly handy with ADFS, when you're modifying the claims provided, and want to quickly see the results.

Posted on Wednesday, September 19, 2012 10:12 PM Azure , ACS | Back to top

Comments on this post: WIF-less claim extraction from ACS: SWT

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Elton Stoneman | Powered by: