Is a Security Token Service required

Question

We looked at Identity Server and Starter STS seems large to serve a few encrypted claims. So coming to the question

1. Is a STS required or mandatory to Federate with ADFS 2.0

2. We opted for Identity Server since ADFS 2.0 does not support other data stores

3. Is there a option to serve claims through mvc controllers or something using Windows Identity Foundation and SAML 2.0 Protocol

Answer 1

You tagged this with SAML so I presume that's the protocol (rather than WIF).

I assume your application is ASP.NET?

If you want to federate with ADFS, then Yes, you need another flavour of STS.

IdentityServer does not support SAML to applications.

There is a WIF SAML CTP.

If you want a .NET application to speak direct to a STS using SAML, you can use the .NET OpenSSO Fedlet (or the OpenAM one).

Answer 2

Not sure I fully understand your question, but here's my take:

1. ADFS is an STS. You don't need another one.
2. ADFS supports any data stores, but can only authenticate against AD. You can issue claims that are stored in LDAP, SQL or anywhere.
3. WIF doesn't support SAML protocol yet.

Why are you considering WIF/Security Tokens to begin with? (e.g. SSO, federation, both, etc)

Answer 3

For your second question, You can always develop custom STS in .NET and add it with ADFS as Identity Provider. As you have mentioned you need to authenticate against the LDS store you can refer to link such as the one given below which would give you more insights:

http://cloudythoughts.siadis.com/windows-azure/windows-azure-appfabric/creating-a-custom-sts-with-windows-identity-foundation

http://blogs.msdn.com/b/vbertocci/archive/2008/11/26/an-identity-provider-and-its-sts-writing-a-custom-sts-with-the-october-beta-of-the-geneva-framework.aspx

http://www.rahulsingla.com/blog/2012/05/wif-security-token-service-for-active-directory-lightweight-directory-services