I have a web application and would want it to be secured using a Custom STS using Windows Identity foundation 3.5. All examples have a passive STS in scene. Why is this needed? and What happens if you call the Active STS 9Custom written using WIF) directly?
Hi, Normally you use passive federation for web application, because web clients are unable to emit proper SOAP hence got the label "Passive Requestor", while anything able to produce proper SOAP got the label "Active Requestor" and can use Active Federation without problems. There are luck of samples of this on internet, but check Vittorio Bertocci's blog, there you can find great articles about active and passive federation.
The simplest example is to generate a web application in Visual Studio and then run the "Add STS Reference" wizard (which is enabled if you install the WIF SDK). You do this by right-clicking on the web project.
You can run the same against a web service and the wizard will create an STS for "Active Clients".
"Active" and "Passive" are implemnetation details. As Daria mentiones above: "Passive" refers to web browsers and "Active" to anything capable of using WS-Trust which is the protocol you use to obtain a token from an STS.
In a production environment, you should use a "production" ready STS (like ADFS). Building one is not impossible, but it might take time.
You can read more about claims based identity here: http://msdn.microsoft.com/en-us/library/ff423674.aspx
Eugenio