WIF, ADFS, OIF, OpenSSO/OpenAM

WIF provide a way to separate security concern out from dotnet applications. Outsource identity/authorization task to a 3rd party IDP/STS really loose the structure of classic web apps, no need to write those user registration / profile management / group assignment common task again and again, and the app is only loose coupled with IDP through Claims.

The idea is neat, but finding a right STS is not easy.

ADFS 2.0 can handle LDAP user without any problem, the off-shelf features don’t cover extranet users.

The out-of-box WIF template provides a local STS for dev purpose only, and it’s using WS-Fe

WIF application is only talking to STS through WS-Federation protocol, (SAML 2.0 Protocol support can be downloaded here, I haven’t try it yet), while Oracle STS speaks WS-Trust, Web Service only?

Right now the solution is use ADFS as gateway between WIF app and 3rd-parth IDP.

Some difficulties we encountered:

Not getting home-realm discovery page from ADFS

This problem was caused by when importing claim provider trust federation metadata into ADFS, the endpoint was not imported, ADFS only accept https endpoint.

HTTP Error 503 on adfs/services/trust and get the service unavailable after STS login successfully

This happens to StarterSTS and CustomSTS, for StarterSTS, folloew this post to add relying party key into StarterSTS and export token decryption certificate. Note the original post missed a key name in configure demo code.

For CustomSTS (WIF test STS), the ADFS replyToAddress needs to set manually based on the Federation Service identifier, an example can be found here as well.

public class CustomSecurityTokenService : SecurityTokenService
{
    protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
    {...
        foreach (var key in ConfigurationManager.AppSettings.AllKeys)
        {
            _logger.Debug(string.Format("checking [{0}] with [{1}]", scope.AppliesToAddress, key));
            if (string.Equals(scope.AppliesToAddress.ToLower(), key.ToLower()))

                scope.ReplyToAddress = ConfigurationManager.AppSettings[key];
        }

  <appSettings>
    <add key="http://adfsserver/adfs/services/trust"
           value="https://adfsserver/adfs/ls/"/>
  </appSettings>

SP doesn’t support urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

This happens to OpenSSO, we finally used SAML Tracker addon in Firefox to figure out it’s in SAML token ADFS sending to IDP. Then followed this post to changed the default format from unspecified to something else.

WIF, STS, MVC

We are looking for the 3rd party access management product, one of the requirements is STS support. Here is the procedure how to create a test STS client:

1. Download WIF runtime and the WIF SDK – http://msdn.microsoft.com/en-us/evalcenter/dd440951.aspx
2. Create a new MVC Project in VS 2010
3. On the project right-click, select “Add STS reference” and follow the same wizard steps as the WebForms application. (to add the WIF information to web.config file.)
4. Set the app pool to be able to load user profile in advanced settings panel.
5. Create self-signed SSL, make certificate accessable by app pool, as descirbed in https://identity.thinktecture.com/download/startersts/v1/StarterSTS_InitialSetup.wmv
6. DO NOT use “Add deployable dependencies” on MVC project when deploying webapp, otherwise the deployed webapp will be redirected back to /account/login from STS.

After tested with the local STS, we tried to switch to StarterSTS – http://startersts.codeplex.com/ as the 2nd test STS, then we can’t figured out how to add the customized claim type  into user profiles, claim type format like “http://schemas.myorg.ca/2011/10/OrganizationId”. Even though, the tutorial from startersts is still great helpful, http://identity.thinktecture.com/download/starterSTS/v1/StarterSTS_FederatingWebApps.wmv
Other useful tools like STSFederationMetadataEditor can be used to edit the WS-Federation of the STS on the fly.