How to implement active federation provider with WIF

StackOverflow https://stackoverflow.com/questions/7164153

Question

I have several Silverlight, WP7 and ASP.NET MVC client applications Most allow anonymous access to the application but secure various features based on a user's credentials when logged in. All of the clients use a common back-end service application for data access and business processing which require the user's credentials for authentication and authorization.

We currently use Forms Authentication in all client applications and I'd like to migrate our architecture to use federated identity and a claims-based model. Passive federation is not an option.

I am looking for the following flow:

  1. The user triggers the login dialog, enters their username and password then clicks "OK".
  2. Behind-the-scenes, the application calls an active STS service in our existing service application for authentication.
  3. The service is actually a federated STS and passes the call through to the (active) IP_STS which may or may not be ADFS.
  4. When the IP returns the token to the FP, the FP modifies the token with additional claims from the server data store before returning the token to the client application.
  5. The client application maintains the token in memory for authorization checks (in Thread.CurrentPrincipal, for example).
  6. The client also passes the token when making requests to other service operations in our service application.
  7. These service operations will use the token to authenticate/authorize the request.

This is a very different use-case from any of the articles and samples I've been able to locate. Can anyone provide some guidance and/or point me in the right direction?

Was it helpful?

Solution

It is my understanding from Dominic Baier that WIF doesn't currently support the approach we are taking. We've taken his suggestion and created our own custom STS that moderates authentication using the Provider model.

Unfortunately, the farther we got into this, the more we realized that WIF isn't flexible enough to satisfy our needs at this point. We stuck with the custom STS approach but are using our own transport and credentialling rather than the WIF tooling. Hopefully a future release will give us what we want.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top