Windows Identity Foundation - Third Party Secure Token Server

Question

I'm trying to get my head around all the claims based windows identity foundation magic.

Assuming I don't want to use ADFS, one thing that isn't clear to me is whether its best to roll your own STS using WIF to do some of the hard work or to rely on a third party.

And if it is the third party option - what third party STS's are there

Answer 1

It all depends where your authentication information is of course. If you aren't using AD, but are using something else then it's up to that provider to supply an STS.

If all you want is something database driven, well there are a few out there, and it depends on what development platform you're happiest with when you come to customise it.

If you're using .NET then you could use the StarterSTS as a starting point (no pun intended).

Answer 2

Safewhere*Identify is a third-party STS built on WIF, but supporting additional protocols and with a more pluggable architecture than ADSF2.

Full Disclosure: I work for Safewhere and am heavily involved in both architecting and developing the product.

Answer 3

You should never roll your own STS (if you can avoid it). Creating an STS suited for a developer demo is trivial, but a world-class, enterprise caliber STS is no small undertaking. Besides ADFS and Safewhere's STS (which Mark mentioned), the following products include an STS (or they say they support WS-Trust which implies this):

• Novell Access Manager
• Ping Identity PingFederate
• Symlabs Federated Identity Suite
• OpenSSO
• Vordel
• Shibaleth
• Redhat JBoss Identity (alpha)
• Oracle Identity Federation (I'm unclear on whether or not this product support WS-Trust, but I would be surprised if it didn't.)

Also, the Java framework Metro is like WCF + WIF. It has everything you need to create an STS, which you shouldn't do; if, however, you evaluate those products and find that they won't satisfy your needs, rolling your own is your only option.

Answer 4

Travis,

Many of the products you listed are familiar to me from the IdM space. Especially Novell and Oracle...but most of these are either an entire stack or parts of a suite. And all of them will require an identity store and authentication services, right?

For example, to use Novell or Oracle or Ping, you would still need to implement a directory or some other user store, authenticate the users somehow (IWA or login page using a service provided by the product, for instance) and then federate that user to the WIF based RP, right?

How would you suggest comparing these suggestions to an do-it-yourself ADFS implementation?

The reason I ask...

We have already build a core framework and product set based on claims, using WIF to consume those claims. We are now looking at deploying ADFS as an STS, and want to step back first and consider if there is a way to accelerate a real prod deployment. We have been using the starterSTS until now...

We need to support several options for authentication: 1) IWA into the RP using our internal AD for users within our enterprise 2) provide a way for our customer's users to login using users we own and control as their IDP (assuming a new directory for them, seperate from our internal AD), and 3) external IDPs where our customers authenticate the users and federate into us.

Option 2 is something we need some authentication service for...so since we can not get away with 100% federated SSO with external IDPs, any third party option must include authentication services.

I looked briefly at the the safewhere site and didn't see any usable details about an STS alternative working with WIF. I see some federation product(s) and a WAM product...what exactly do they offer as an STS?

Thanks for any input you might have.