This is the scenario I need to cover:
A WebService that trusts on an IdP using Ws-Trust or any thing like that, receives a SAML token to authenticate the user, and we need to call some SQL Server or any kind of service that uses windows integrated auth and we need to forward the same identity of the calling user.
Is there any solution for this? I know that a couple of years ago .NET platform had some SAML2Kerberos or something like that, but I think it was deprecated...
The issue is that you're needing to translate a SAML identity to an identity provided by Active Directory, and Active Directory doesn't understand SAML. That's where the C2WTS service came into play. It's not deprecated, but is frowned upon using because it allows impersonation of any user assuming you've given the service account enough rights to do so, and those rights basically give you root equivalent.
You can either use that service, which is probably the preferred option, or you can build your own mechanism that calls into the Windows subsystem for impersonating users. Something along the lines of this: https://stackoverflow.com/questions/559719/windows-impersonation-from-c-sharp.
