What is the best way to pass security token to non IIS services

Question

Is there a way to manually and safely serialize Session Security Token?

I am setting up a web application that authenticates with Azure ACS.

I have got the claims and principals ok. Now I need to pass that whole thing to back end services. What's the best way to do this?

1. Should I serialize the principal object? and manually restore and set them in the back through a channel intercept?
2. Can I somehow reuse SessionSecurityToken? Although some of the back end services could use technology like msmq, so the concept of session and cookies are moot. Is there a way to still use the same token that gets set in the cookies nonetheless for uniformities sake. If so how?
3. Should I set up WIF on the back end services? This seems like a major hassle. If the user has been authenticated, I want to get all the claims and pass it on, or set up my own custom role manager.
4. Should I simply create a ticket, that can be redeemed against a caching service to retrieve all of these information?

Answer 1

There is not best way. The most standard way is to use a wsFederationHttpBinding on your wcf back-end services. This way your security token can arrive at the back end and the back end cannot be called (unless you expose other bindings) without a valid token.