WIF authentication scenario. STS implementation questions


We’re considering using WIF for authenticating our users, so I’ve started to gather some information on how to do this the right way. Mainly how we should create the STS. I’ve had a hard time finding some information about our scenario where we have a “main” service that will be used by clients both internal and external.

Internal clients will connect to the service using TCP. The desktop clients used by our employees should authenticate to the service using their domain credentials (Active Directory). Besides that we have a small number of applications that use the service for data processing. We would like to issue a certificate to these applications. They will then authenticate through the STS using that certificate and a token is returned containing the claims for that application. Is that possible?

External clients will connect through HTTP, authenticate using username/password (web client), or by a certificate like much like mentioned above.

Is this a valid scenario? How would you implement this in WIF? Can you point me to some articles that you think will help? Can I solve this by having a single STS (WCF) or do I need more than one? Can a single STS handle more than one type of credentials (AD/username/certificate)?

Thank you in advance. Any help will be much appreciated.


Yes, that can be easily accomplished with WCF and WIF. You only need an STS implemenation or service, with three WCF endpoints. One endpoint for net.tcp with Windows authentication, one endpoint for authenticating with certificates (this could be message security with X509 client credential or Http transport security wiht X509 credential), and another endpoint for username and password. You might want to look at the STS Starter kit from Dominick Baier, I think he already provided an implementation for that in that project.

It's a matter of exposing the STS service with two endpoints as follow,

ADFS is not required if you are using WIF. ADFS is a Federated solution that integrates with AD, and mounts a STS on top of it. You can always implement your own STS and expose an additional endpoint for windows authentication in the binding configuration

Thanks Pablo.

This video can help you solving your question :)
By: admin