views:

670

answers:

4

I'm trying to get my head around all the claims based windows identity foundation magic.

Assuming I don't want to use ADFS, one thing that isn't clear to me is whether its best to roll your own STS using WIF to do some of the hard work or to rely on a third party.

And if it is the third party option - what third party STS's are there

+1  A: 

It all depends where your authentication information is of course. If you aren't using AD, but are using something else then it's up to that provider to supply an STS.

If all you want is something database driven, well there are a few out there, and it depends on what development platform you're happiest with when you come to customise it.

If you're using .NET then you could use the StarterSTS as a starting point (no pun intended).

blowdart
Thats what I was thinking. I just got abit spooked by the Microsoft disclaimer "“WIF provides the ASP.NET Security Token Service Web Site template to help you build a simple STS that can be used for evaluation. To build a production STS, you would need to consider the necessary scalability and security considerations per your business needs.”"
AJM
Well the StarterSTS is just that, an illustration of how to write one - the STS temptlate that comes with WIF isn't good at all. So you'll still need to consider scalability and security
blowdart
So if i m reading this right starterSTS is not intended for production right? then what should we use in production? ADFS only? what other alternatives are there? ( sorry AJM not trying to steal the question here)
Miau
See Travis's answer - and hope they meet your requirements.
blowdart
+2  A: 

Safewhere*Identify is a third-party STS built on WIF, but supporting additional protocols and with a more pluggable architecture than ADSF2.

Full Disclosure: I work for Safewhere and am heavily involved in both architecting and developing the product.

Mark Seemann
+1  A: 

You should never roll your own STS (if you can avoid it). Creating an STS suited for a developer demo is trivial, but a world-class, enterprise caliber STS is no small undertaking. Besides ADFS and Safewhere's STS (which Mark mentioned), the following products include an STS (or they say they support WS-Trust which implies this):

  • Novell Access Manager
  • Ping Identity PingFederate
  • Symlabs Federated Identity Suite
  • OpenSSO
  • Vordel
  • Shibaleth
  • Redhat JBoss Identity (alpha)
  • Oracle Identity Federation (I'm unclear on whether or not this product support WS-Trust, but I would be surprised if it didn't.)

Also, the Java framework Metro is like WCF + WIF. It has everything you need to create an STS, which you shouldn't do; if, however, you evaluate those products and find that they won't satisfy your needs, rolling your own is your only option.

Travis Spencer
A: 

Travis,

Many of the products you listed are familiar to me from the IdM space. Especially Novell and Oracle...but most of these are either an entire stack or parts of a suite. And all of them will require an identity store and authentication services, right?

For example, to use Novell or Oracle or Ping, you would still need to implement a directory or some other user store, authenticate the users somehow (IWA or login page using a service provided by the product, for instance) and then federate that user to the WIF based RP, right?

How would you suggest comparing these suggestions to an do-it-yourself ADFS implementation?

The reason I ask...

We have already build a core framework and product set based on claims, using WIF to consume those claims. We are now looking at deploying ADFS as an STS, and want to step back first and consider if there is a way to accelerate a real prod deployment. We have been using the starterSTS until now...

We need to support several options for authentication: 1) IWA into the RP using our internal AD for users within our enterprise 2) provide a way for our customer's users to login using users we own and control as their IDP (assuming a new directory for them, seperate from our internal AD), and 3) external IDPs where our customers authenticate the users and federate into us.

Option 2 is something we need some authentication service for...so since we can not get away with 100% federated SSO with external IDPs, any third party option must include authentication services.

I looked briefly at the the safewhere site and didn't see any usable details about an STS alternative working with WIF. I see some federation product(s) and a WAM product...what exactly do they offer as an STS?

Thanks for any input you might have.

Allen Conant