tags:

views:

129

answers:

1
Q: 

WIF authentication scenario. STS implementation questions.

We’re considering using WIF for authenticating our users, so I’ve started to gather some information on how to do this the right way. Mainly how we should create the STS. I’ve had a hard time finding some information about our scenario where we have a “main” service that will be used by clients both internal and external.

Internal clients will connect to the service using TCP. The desktop clients used by our employees should authenticate to the service using their domain credentials (Active Directory). Besides that we have a small number of applications that use the service for data processing. We would like to issue a certificate to these applications. They will then authenticate through the STS using that certificate and a token is returned containing the claims for that application. Is that possible?

External clients will connect through HTTP, authenticate using username/password (web client), or by a certificate like much like mentioned above.

Is this a valid scenario? How would you implement this in WIF? Can you point me to some articles that you think will help? Can I solve this by having a single STS (WCF) or do I need more than one? Can a single STS handle more than one type of credentials (AD/username/certificate)?

Thank you in advance. Any help will be much appreciated.

A: 

Hi,

Yes, that can be easily accomplished with WCF and WIF. You only need an STS implemenation or service, with three WCF endpoints. One endpoint for net.tcp with Windows authentication, one endpoint for authenticating with certificates (this could be message security with X509 client credential or Http transport security wiht X509 credential), and another endpoint for username and password. You might want to look at the STS Starter kit from Dominick Baier, I think he already provided an implementation for that in that project.

It's a matter of exposing the STS service with two endpoints as follow,

ADFS is not required if you are using WIF. ADFS is a Federated solution that integrates with AD, and mounts a STS on top of it. You can always implement your own STS and expose an additional endpoint for windows authentication in the binding configuration

Thanks Pablo.

 2010-09-02 15:58:51
Thank you. Nice to get things confirmed :-) Can you give me some more details on the certificate part? I don't know much about that, and I can't seem to find any articles about it. For the Windows auth endpoint, should I use ADFS?
Tommy Jakobsen  2010-09-02 19:11:55

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?