Why WIF (Windows Identity Foundation)?

Question

How portable is Windows Identity Foundation? And what am I getting for its complex setup that I can't through custom security logic?

Once I generated a ClaimIdentity and a Principal how can I delegate it to a middle tier service like WebAPI/NServiceBus/ServiceStack? Especially in self hosted scenario.

The instruction to integrate with WCF, MS own framework is fairly convoluted. As can be seen here - it can probably compete with Steven King for the most verbose horror novel of the century. Not to mention I am trying to get out of WCF as is for being too cumbersome and frankly WIF makes WCF looks like child's play.

I want to make sure that this is not another expensive, over-engineered pile of dung, like some other frameworks that have come from Redmond (eg. Biztalk, WF, Web Forms, and even to some extent, XAML). All those frameworks took just about the most convoluted path possible, in trying to be too many things at once to solve problems that are far more elegantly solved with the FOS alternatives like CSS, MVC, NSB or even JavaScript (and I hate JavaScript).

Again what's this monstrous abstraction giving me? Why not just write my own RBAC framework, that'll serialize the claims and identity in a JSON string, encrypt and pass it around as needed. That'd take me all 30 minutes to write as opposed to weeks of learning WIF and spending months integrating it with various subsystems.

Answer 1

WIF is a set of .NET classes so it's portable across any .NET applications that wants to outsource authentication and authorization to a STS like ADFS.

It relies on the WS Federation protocol which means that the same claims-enabled application can authenticate with any WS Fed STS e.g. ADFS, Ping identity, OpenAM, Azure Active Directory, Identity Server etc.

All that's required to achieve this is some web. config changes - no code changes.

And it provides a set of methods to enumerate the claim etc.

It also provides the plumbing e.g. decrypting the SAML token, checking the signature and issuer, creating the relevant cookies etc. All of which are necessary from a security PoV.

By all means roil your own - but it won't be portable and you need to think carefully about security.