I wonder what are the best practises in a client app ( winforms/ console/ whatever else) regarding consuming WCF that is Authorized and authenticated using WIF (used to be called geneva).
Also at a service level, is it possible to cache the token so the the trip to the STS is not necesary for every WCF operation? ( more info on this also apreciated)
Thanks
Best Answer
You need to send the token each time, just like you would need to send a username and password each time to a web service secured with usernames and passwords. Just because you're using a SAML token doesn't change this.
You can however cache the token on the client side - each token has a valid from and valid to associated with it so, if the web service is not checking for uniqueness of each token via the assertion ID then you could cache on the client. However a well written web service may well be checking the assertion ID to stop relay attacks.