views:

422

answers:

1

I am trying to understand the difference between Active and Passive federation in WIF. It appears that one would use an Active Federation if the Relying Party (RP) is a WCF Service instead of an ASP.NET application and a Passive Federation if the RP is an ASP.NET application. Is this accurate?

So, in a scenario in which an ASP.NET application uses a WCF in the backend, the MS articles suggest using a 'bootstrap' security token that is obtained by the ASP.NET app using an ActAs STS and this token is used to authenticate with the WCF. In this scenario, it appears that we are doing a combination of Active (user -> STS -> ASP.NET RP) and Passive (ASP.NET -> ActAs STS -> WCF) Federation?

+1  A: 

Active Federation is about authenticating user using WSTrust protocols and your Relying Party is who own's login window and ask for security token to STS. Passive Federation is when Relying Party have no login logic and you are redirected to the login page located on STS. Active Federation is more complex to configure, on my opinion (I'm working with silverlight, so it need some tricks). I'm planing to post about this subject on my blog, because there are few information about it on internet.

Daria Barteneva
In my example, Active Federation is when a WCF service is the relying party (as it does not have a login page). Right?
No, your WCF service must own some mechanism to create a SOAP message and pass credentials to the STS, this is Active Federation and your service is the Active Requestor (you can receive credentials in the way you want, for example using login window from Silverlight client). If you want to use login page from Identity Provider and don't worry about receive and pass credentials, you should use Passive Federation, and in this case your service is Passive Requestor (he only redirect, and IdP do all work).
Daria Barteneva

related questions