Csla has a CslaPrincipal and CslaIdentity, fact. They can be overriden and customed and finally the ApplicationContext.User is set with an object implementing IPrincipal.
But what if the Wcf Service has to be an "Relying Party" as part of an WIF solution?
I have the requirement to set up Federated Authentication using IClaimsPrincipal and IClaimsIdentity. So far so good, but i don't want to put any knowledge to decrypt the Issued Token (a GenericXmlSecurityToken) to a ClaimsPrincipal.
If the client application doesn't has this knowledge then i think csla authentication fails, please correct me if i'm wrong. The authorization checks are done in the 'smart objects' client side and server side. IsInRole etc can't execute without knowing the ClaimsPrincipal. It should be possible, somehow, that the client only has an Issued Token and use that to call the custom WcfPortal with a WS2007FederationBinding
I'm thinking to go around this issue by creating a webservice to convert the Issued Token to a IClaimsPrincipal so that the knowledge to decrypt is on the server side, but this might be a security issue!