On-Premise IFD Security Header Analysis

MS CRM uses WSS to secure SOAP (XML) messages. ADFS is used for the STS server. CRM has two primary services, Organization an Discovery both of which use the same security configuration.

When a client authenticates with the CRM server, the client is redirected to the STS server. The authentication message carries a username claim (username and password) as well as the endpoint it wishes to communicate with. The STS server uses the username to authenticate and return a security token to the client. The client needs to add a WSS Security header to each SOAP message. The CRM server uses the security header to validate access to CRM resources e.g. an Account record.

To understand what security information needs to be provided, we can start with the ADFS server or the CRM server. Both servers must be consistent, in other words, the CRM server cannot indicate that a specific token format be used that is not accepted by the ADFS server.

We could start exploring using the CRM server WSDL but let's first look at the ADFS server and assue that all we have to use is a username (domain qualified e.g. crmuser@demo.local) and password for login.