WIF provide a way to separate security concern out from dotnet applications. Outsource identity/authorization task to a 3rd party IDP/STS really loose the structure of classic web apps, no need to write those user registration / profile management / group assignment common task again and again, and the app is only loose coupled with IDP through Claims.

The idea is neat, but finding a right STS is not easy.

ADFS 2.0 can handle LDAP user without any problem, the off-shelf features don’t cover extranet users.

The out-of-box WIF template provides a local STS for dev purpose only, and it’s using WS-Fe

WIF application is only talking to STS through WS-Federation protocol, (SAML 2.0 Protocol support can be downloaded here, I haven’t try it yet), while Oracle STS speaks WS-Trust, Web Service only?

Right now the solution is use ADFS as gateway between WIF app and 3rd-parth IDP.

Some difficulties we encountered:

Not getting home-realm discovery page from ADFS

This problem was caused by when importing claim provider trust federation metadata into ADFS, the endpoint was not imported, ADFS only accept https endpoint.

HTTP Error 503 on adfs/services/trust and get the service unavailable after STS login successfully

This happens to StarterSTS and CustomSTS, for StarterSTS, folloew this post to add relying party key into StarterSTS and export token decryption certificate. Note the original post missed a key name in configure demo code.

For CustomSTS (WIF test STS), the ADFS replyToAddress needs to set manually based on the Federation Service identifier, an example can be found here as well.

public class CustomSecurityTokenService : SecurityTokenService
    protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
        foreach (var key in ConfigurationManager.AppSettings.AllKeys)
            _logger.Debug(string.Format("checking [{0}] with [{1}]", scope.AppliesToAddress, key));
            if (string.Equals(scope.AppliesToAddress.ToLower(), key.ToLower()))

                scope.ReplyToAddress = ConfigurationManager.AppSettings[key];

    <add key="http://adfsserver/adfs/services/trust"

SP doesn’t support urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

This happens to OpenSSO, we finally used SAML Tracker addon in Firefox to figure out it’s in SAML token ADFS sending to IDP. Then followed this post to changed the default format from unspecified to something else.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s