WS-Federation RSTR( Request Security Token Response) Validator

How to validate the SAML security token return in RSTR by ADFS with hand coded?  
I see there is an option to achieve it using WIF etc..instead WIF is there any other way, manually validate the token and allow the user to access the RP site.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy DownsOWNERCommented:
maybe this will help.

function designed to request a security token from an ADFS server. It relies on .NET 4.5 and can be run from any system with Web access to the ADFS endpoints. It runs against the following two ADFS endpoints, so you’ll need to make sure they’re enabled on your ADFS server:
/adfs/services/trust/windowsmixed - WS-Trust 1.3, Windows, TransportWithMessageCredential (Mixed)
/adfs/services/trust/usernamemixed - WS-Trust 1.3, Password, TransportWithMessageCredential (Mixed)
You can download the function from the TechNet Script Gallery here. In this post, we’ll step through how it works.

You can download the complete script from the TechNet Script Gallery.

Invoke-ADFSSecurityTokenRequest `
    -ClientCredentialType UserName `
    -ADFSBaseUri `
    -AppliesTo `
    -UserName 'joshgav' `
    -Password 'MyPassword' `
    -Domain 'CORP' `
    -OutputType Token `
    -SAMLVersion 2 `

Open in new window

JRR75Author Commented:
After receiving the token how the token can be validated with  no WIF.
Randy DownsOWNERCommented:
Looks like it's all done in the script.

$RSTR = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse

Open in new window

In the last command, we create an empty RSTR object to hold the RSTR which ADFS will return.

Now we’re ready to use our RST in a request.

try {

    $OriginalCallback = [System.Net.ServicePointManager]::ServerCertificateValidationCallback

    if ($IgnoreCertificateErrors.IsPresent) {

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {return $true}


    $Token = $Channel.Issue($RST, [ref] $RSTR)


finally {

    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $OriginalCallback


Open in new window

Wrapping this all in a try/finally block ensures that even if something goes wrong with the request, the certificate validation bypass is still reverted.

The main work here is done when we call Issue on the channel we created previously. We pass in the RST we created and receive back an RSTR and a processed SecurityToken from ADFS. The RSTR is stored in the out parameter $RSTR, and the SecurityToken is stored in $Token.

Now all that’s left is to return what the user asked for.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.