Creating a custom STS-IP with WIF and why not

Question

I have a need to implement a STS-IP server for our web applications and services. The server will need to issue SAML tokens for the following scenarios:

1. Business partner submits their SAML token which is converted to a SAML token with the claims required for our applications. This token is used to access our Web Applications and Services.
2. Our public facing applications need to have a user sign in (via forms authentication) and then access our web applications and services with a SAML token.
3. Our clients (without a STS trust) needs to authenticate with our STS-IP server, get a SAML token, and use that token to access our WCF services.

In all 3 scenarios, we need to have custom claims on the SAML token that our applications and services use. The thought is once we identify the user, we would look up their authorization in our back-end systems and attach claims.

In these scenarios, you can assume the back-end authentication store is a custom implementation with authentication stored in Active Directory and authorization stored in a database.

So my thought has been, we need to create a custom STS-IP server using something like Windows Identity Framework. But I have also been reading that you should not do this because it can take some time.

Can I use an off-the-shelf STS-IP server? Everything I've seen is a mapping between one system to another (SAML to SAML or AD to SAML).

Why will it "take a long time" to build a production ready STS-IP ? I built one using WIF very easily, but I guess I don't understand the risks in doing this.

Answer 1

Before writing you own STS, you may want to check out this blog and closely review the features that you may need in the STS. Just because you can build one yourself, doesn't always mean you should.

extending adfs to multiple identity and attribute stores

Answer 2

In terms of "It will take a long time", the documentation showing how to do this is very poor. See here: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/257d93be-165e-45a6-a277-fc7ed2286e7d/

Anyhow, you'll simply need to look over the code samples that Microsoft provides: Google for Identity Developer Training Kit. That should help you get started.

Answer 3

Why are you not considering using ADFS? If the backing store for authentication is AD, then ADFS is probably a good candidate to evaluate.

Answer 4

They "why not" is relatively simple: Why take weeks to build something that will probably only handle a single use-case when you can put in off-the-shelf STS in a day that will cover all sorts of things your company may come up with? Building it yourself will also require you to become an expert in SAML (which is probably not the best us of your company's time).

Check out -- http://www.pingidentity.com/our-solutions/pingfederate.cfm

Good luck -- Ian

Answer 5

Agree with @eugenio - why not use ADFS?

ADFS can only authenticate against AD as discussed but it can derive authorisation attributes from AD / LDAP / SQL server

The nuts and bolts for an STS are available in VS 2010 plus the identity tool kits. A simple STS can be quickly prototyped.

There are some examples available. StarterSTS is already mentioned plus SelfSTS .

The hard part is getting the security right especially if this will be part of a production system. As per "Steve on Security" Build your own Directory Federation Service :

It may sound like I think it'll be a synch to develop this system and have it work securely, but in reality there is a lot that will need to go into it to protect the network, the employees, and the data this could possibly interact with. It is tough to develop applications securely. It is far harder to develop secure applications whose sole responsibility is security related.

That's the reason that all the samples on the Internet have disclaimers in bold:

Do not use in a Production environment