Active and Passive Federation in WIF

Question

I am trying to understand the difference between Active and Passive federation in WIF. It appears that one would use an Active Federation if the Relying Party (RP) is a WCF Service instead of an ASP.NET application and a Passive Federation if the RP is an ASP.NET application. Is this accurate?

So, in a scenario in which an ASP.NET application uses a WCF in the backend, the MS articles suggest using a 'bootstrap' security token that is obtained by the ASP.NET app using an ActAs STS and this token is used to authenticate with the WCF. In this scenario, it appears that we are doing a combination of Active (user -> STS -> ASP.NET RP) and Passive (ASP.NET -> ActAs STS -> WCF) Federation?

Answer 1

Active Federation is about authenticating user using WSTrust protocols and your Relying Party is who owns login window and asks for security token to STS. Passive Federation is when Relying Party has no login logic and you are redirected to the login page located on STS. Active Federation is more complex to configure, in my opinion (I'm working with silverlight, so it needs some tricks). I'm planing to post about this subject on my blog, because there is little information about it on internet.

Answer 2

You can read more about passive claims here:

http://garymcallisteronline.blogspot.co.uk/2012/11/claims-explained.html

An Active call is a direct call to a WSActive endpoint (these support many authentication types).. The following code shows an active call using the username active endpoint.

    private static GenericXmlSecurityToken GetToken(string username, string password, string url, string audienceUrl)
    {
        var factory = new WSTrustChannelFactory(new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(url));
        factory.Credentials.UserName.UserName = username;
        factory.Credentials.UserName.Password = password;

        factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        factory.TrustVersion = TrustVersion.WSTrust13;
        WSTrustChannel channel = null;

        var rst = new RequestSecurityToken
        {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointAddress(audienceUrl),
            KeyType = WSTrust13Constants.KeyTypes.Bearer,
        };
        channel = (WSTrustChannel)factory.CreateChannel();
        return channel.Issue(rst) as GenericXmlSecurityToken;
    }

Answer 3

In short, Passive Federation is just a phrase used to represent the scenario that your browser is redirected to a login page hosted by the STS. After login the STS redirects you back to the referring URL with some cookie, or something, and you are authenticated at the site that trusts the STS (using thumbprints, certs, encryption,etc).

You don't have to do it that way either. I for example like my ASP.NET sites to actively contact the STS using credentials supplied by the user, but it means the ASP.NET app pool has to authenticate at the STS using Windows Auth in order to send the credentials supplied by the user to get a token, and then I explicitly add the token to the session. In other words I don't used Passive Federation, but that's just a choice.

Answer 4

Even i had same problem initially but the this blog helped me a lot.

i would suggest you to go through samples first and then analyse the documentation.

WCF federation is tricky though.