Creating an Custom Active STS for SharePoint 2010 using Windows Identity Foundation

Question

Can anyone tell me whether I can create a custom active security tokebn service for sharepoint 2010. I'm basically looking to create a custom sts whereby I dont have to leave the sharepoint site itself in order to log in.

I have seen examples of creating a custom passive sts, but cant see anything for a custom passive sts.

I'm pretty new to WIF, so any pointers or help would be really appreciated.

EDIT (22 Nov 2011): Ok, maybe I'm looking at this all wrong. The first problem is that I have web services and a web site(s) that will need to be claims aware, and resolve requests to each as the same identity (In this case I cannot use a passive sts for the services). The second problem is that I want to be able to integrate the logon facility onto the homepage of my web site - my understanding is that this cant be achieved with a passive sts.

EDIT (28 Nov 2011): So on the recomendations below I have implmented thinktecture identity server. I've got this to work in the passive scenario quite easily, but am still unable to get this to work with the ws-trust endpoint (active scenario). I've been trying to create a custom login webpart using WSTrustChannelFactory and UserNameWSTrustBinding, but whenever I call ValidateToken I get an error stating "The issuer of the token is not a trusted issuer". Trust should be already established, as I can login using the passive logon mechanism.

Matt

Answer 1

After spending a significant amount of time on this I got to the root of my problem (I think). I was trying to create a custom logon webpart that could be deployed on the homepage of my application. It turns out that somewhere in the ValidateToken implementation there is a call to SPPassiveIssuerName.GetIssuerName. Within this method there is a decision made based on the result of a call to TrustedProviderSignInPage.IsTrustedPageRequest (this method returns true if the hhtpcontext request is for something within the http://xxxx/_trust/ virtual directory).

If TrustedProviderSignInPage.IsTrustedPageRequest returns true, SharePoint looks in the TrustedLoginIssuerNameRegistry which is fine as my certificate is registered as trusted. However, if it returns false SharePoint only checks the LocalLoginIssuerNameResgistry - which is basically hard coded to only return the built-in login issuer. As my homepage doesnt reside in the /_trust/ directory this is never going to work - which is incredibly annoying!

So in summary - you can probably only do this in SharePoint the page you're planning to put your login control on is in the /_trust/ directory.

IMPORTANT EDIT (01/12/2011): So after being thoroughly deflated yesterday, I had the idea of replacing the SharePoint built in issuer name registry (SPPassiveIssuerNameRegistry) with the standard ConfigurationBasedIssuerNameRegistry and adding in my IP-STS as a trusted issuer. This got me a little further along the line, but I was still getting an error when calling SetPrincipalAndWriteSessionToken, that the issuer could not be found in the issuer name registry. I couldn't work this out for hours, but in the end I decided ti implement a custom issuer name registry. After some debugging, it turns out that at some point during the claims creation process, SharePoint attempts to validate its built-in security token service (even though I'm not using it). So I reverted bag to the configuration based issuer name registry, and added in the SharePoint one as a trusted issuer (as well as my own) - and it all seems to work - woop! I'll blog the full solution at some point and post back here with a link. Lets hope it sticks!!

Matt

Matt

Answer 2

• I have seen examples of creating a custom passive sts, but cant see anything for a active? passive sts.

Have a look at Identity Server. It's an active and passive custom security token service.