18

I am trying to understand the difference between Active and Passive federation in WIF. It appears that one would use an Active Federation if the Relying Party (RP) is a WCF Service instead of an ASP.NET application and a Passive Federation if the RP is an ASP.NET application. Is this accurate?

So, in a scenario in which an ASP.NET application uses a WCF in the backend, the MS articles suggest using a 'bootstrap' security token that is obtained by the ASP.NET app using an ActAs STS and this token is used to authenticate with the WCF. In this scenario, it appears that we are doing a combination of Active (user -> STS -> ASP.NET RP) and Passive (ASP.NET -> ActAs STS -> WCF) Federation?

Nick
  • 7,475
  • 18
  • 77
  • 128

4 Answers4

21

Active Federation is about authenticating user using WSTrust protocols and your Relying Party is who owns login window and asks for security token to STS. Passive Federation is when Relying Party has no login logic and you are redirected to the login page located on STS. Active Federation is more complex to configure, in my opinion (I'm working with silverlight, so it needs some tricks). I'm planing to post about this subject on my blog, because there is little information about it on internet.

Nisarg Shah
  • 14,151
  • 6
  • 34
  • 55
Daria Barteneva
  • 494
  • 3
  • 4
  • In my example, Active Federation is when a WCF service is the relying party (as it does not have a login page). Right? – Nick May 07 '10 at 14:15
  • 2
    No, your WCF service must own some mechanism to create a SOAP message and pass credentials to the STS, this is Active Federation and your service is the Active Requestor (you can receive credentials in the way you want, for example using login window from Silverlight client). If you want to use login page from Identity Provider and don't worry about receive and pass credentials, you should use Passive Federation, and in this case your service is Passive Requestor (he only redirect, and IdP do all work). – Daria Barteneva May 14 '10 at 16:34
  • Did you ever get around to blogging about it? I've been looking for documentation on how to do active authentication for an MVC app with no luck :-( – Roly May 06 '13 at 19:39
  • Why should the RP ask security token from STS in Active Federation? If it can create a login window and login logic, couldn't it create the claims/token as well? As in completely avoiding an external STS – Blue Clouds Dec 14 '13 at 22:28
  • @BlueClouds you would want active in many scenarios, including mine: You have an STS with several federations set up (i.e. you get users signing in from multiple sources, CustomerA, CustomerB, CustomerC all log into my App, and I want my App to authenticate users against those customers' AD servers). So they hit my App, and I want my App to handle the login form and the request a token from my STS (my request indicates the realm they should authenticate to). This way I don't have to deal with the little "ADFS Login Pages" app with a "realm discovery" page. – ctb Feb 26 '14 at 16:47
  • I am trying to authenticate a user from a client application that communicates with a wcf service. the wcf service is responsible for authentication against its own membership database, active directory and adfs. In my case there needs to be active federation. How would you approach this problem? – TrustyCoder Oct 21 '15 at 16:03
2

In short, Passive Federation is just a phrase used to represent the scenario that your browser is redirected to a login page hosted by the STS. After login the STS redirects you back to the referring URL with some cookie, or something, and you are authenticated at the site that trusts the STS (using thumbprints, certs, encryption,etc).

You don't have to do it that way either. I for example like my ASP.NET sites to actively contact the STS using credentials supplied by the user, but it means the ASP.NET app pool has to authenticate at the STS using Windows Auth in order to send the credentials supplied by the user to get a token, and then I explicitly add the token to the session. In other words I don't used Passive Federation, but that's just a choice.

Sentinel
  • 3,582
  • 1
  • 30
  • 44
1

You can read more about passive claims here:

http://garymcallisteronline.blogspot.co.uk/2012/11/claims-explained.html

An Active call is a direct call to a WSActive endpoint (these support many authentication types).. The following code shows an active call using the username active endpoint.

    private static GenericXmlSecurityToken GetToken(string username, string password, string url, string audienceUrl)
    {
        var factory = new WSTrustChannelFactory(new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(url));
        factory.Credentials.UserName.UserName = username;
        factory.Credentials.UserName.Password = password;

        factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        factory.TrustVersion = TrustVersion.WSTrust13;
        WSTrustChannel channel = null;

        var rst = new RequestSecurityToken
        {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointAddress(audienceUrl),
            KeyType = WSTrust13Constants.KeyTypes.Bearer,
        };
        channel = (WSTrustChannel)factory.CreateChannel();
        return channel.Issue(rst) as GenericXmlSecurityToken;
    }
GaryMcAllister
  • 141
  • 1
  • 3
  • Does anyone know how to do the equivalent in .NET 4.5? It looks like much has changed, specifically, "UserNameWSTrustBinding" no longer exists...? – ctb Feb 26 '14 at 16:49
0

Even i had same problem initially but the this blog helped me a lot.

i would suggest you to go through samples first and then analyse the documentation.

WCF federation is tricky though.

Rory McCrossan
  • 331,213
  • 40
  • 305
  • 339
Suhas TJ
  • 65
  • 1
  • 8