views:

62

answers:

3

I have a need to implement a STS-IP server for our web applications and services. The server will need to issue SAML tokens for the following scenarios:

  1. Business partner submits their SAML token which is converted to a SAML token with the claims required for our applications. This token is used to access our Web Applications and Services.
  2. Our public facing applications need to have a user sign in (via forms authentication) and then access our web applications and services with a SAML token.
  3. Our clients (without a STS trust) needs to authenticate with our STS-IP server, get a SAML token, and use that token to access our WCF services.

In all 3 scenarios, we need to have custom claims on the SAML token that our applications and services use. The thought is once we identify the user, we would look up their authorization in our back-end systems and attach claims.

In these scenarios, you can assume the back-end authentication store is a custom implementation with authentication stored in Active Directory and authorization stored in a database.

So my thought has been, we need to create a custom STS-IP server using something like Windows Identity Framework. But I have also been reading that you should not do this because it can take some time.

Can I use an off-the-shelf STS-IP server? Everything I've seen is a mapping between one system to another (SAML to SAML or AD to SAML).

Why will it "take a long time" to build a production ready STS-IP ? I built one using WIF very easily, but I guess I don't understand the risks in doing this.

+1  A: 

In terms of "It will take a long time", the documentation showing how to do this is very poor. See here: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/257d93be-165e-45a6-a277-fc7ed2286e7d/

Anyhow, you'll simply need to look over the code samples that Microsoft provides: Google for Identity Developer Training Kit. That should help you get started.

Rice Flour Cookies
I have to agree on the documentation. I did find a project called "StarterSTS" which was very helpful. http://startersts.codeplex.com/
MediaSlayer
A: 

They "why not" is relatively simple: Why take weeks to build something that will probably only handle a single use-case when you can put in off-the-shelf STS in a day that will cover all sorts of things your company may come up with? Building it yourself will also require you to become an expert in SAML (which is probably not the best us of your company's time).

Check out -- http://www.pingidentity.com/our-solutions/pingfederate.cfm

Good luck -- Ian

Ian
+1  A: 

Why are you not considering using ADFS? If the backing store for authentication is AD, then ADFS is probably a good candidate to evaluate.

Eugenio Pace
We are consider it, but we want forms authentication for our web site that authenticates to an STS-IP. I'm not sure ADFS can do this. Also, our AD accounts have custom attributes that we would need to make into claims. I haven't installed ADFS yet since I don't have a Windows test server setup yet.
MediaSlayer
ADFS will show you a form if you are trying to acces it from a machine outside the network. If you are inside the network it would simply "just work".Querying for attributes in AD and sending them as claims in a token is an "out of the box" feature in ADFS. besides, it is free :-)What ADFS doesn't support is authenticating against anything that is not AD. (Which doesn't seem to be your case)
Eugenio Pace