I have a scenario where the client uses kerberos authentication (this cannot be changed) and, thus my WCF web service only has access to the WindowsIdentity object (System.Security.Prinicpal.WindowsIdentity). The WindowsIdentity object doesn't tell me much about the user (basically just the login name). What I need are specific claims about the user (e.g. email, etc.) so that I can map the AD user to one of my systems users.
I have set up a relying trust relationship with ADFS and from my server, using username and password, I am able to retrieve a SAML token and extract the claims I want (i.e. UserNameWSTrustBinding).
With that being said, it seems that given that I have a WindowsIdentity object in hand (ultimately provided by the ADFS system) I should be possible to ask ADFS to issue me a SAML token. That is, rather than specify the username/password I provide the WindowsIdentity.
I would greatly appreciate it if someone could point me in the right direction of how to accomplish this.
Thanks much!
Edit: I have located the following Microsoft document showing the transformation of a kerberos ticket to a SAML token. So I know its possible, I just haven't yet figured out how to accomplish it.