1

I'm currently assessing ways to impelement authentication&authorzation in a .NET SOA environment(ASP.NET MVC, WCF).

I have concluded that using Windows Identity Foundation with a STS should fullfill our criteria.

I'm having hard time finding any suitable STS to work with WIF other than ADFS. I know there are multiple options, but there is no documentation/experience available how well these play together with WIF.

Summa summarum, multiple questions:

Is this dumb idea?

Is there any STS product that plays together with WIF smoothly? Any resources on this?

Are there products that allows me to implement centralized(yet scalable) authorization(even with XACML support)?

What is your experience using WSO2 Identity Server with ADFS/WIF?

WSO2 Identity Server has some XACML capabilities but how can these be used in authorization with WCF services?

Fdr
  • 3,726
  • 5
  • 27
  • 41
  • Can you clarify whether or not you'll have an ADFS server as part of your architecture? For example, it's not clear to me whether you have an ADFS server you want to federate with other STSes such as WSO2, or if you want to replace ADFS altogether. (Also, if ADFS isn't a viable option for you, can you explain why?) – Andrew Lavers Mar 30 '12 at 21:25
  • @AndrewLavers Yes, ADFS is an option and can be part of architecture. The main reason why I'm considering other options besides ADFS, is because ADFS (to my knowledge atleast) doesn't support databases as User Store. And why I care: well, I want to have way to access&scale user data and AD is a bit unknown territory for me. I know there are some API's for accessing AD, but I don't have idea what kind of performance, scalability etc. they have. Easiest way would be to use some STS product supporting RDBs out-of-the-box – Fdr Apr 02 '12 at 05:20

3 Answers3

1

WSO2 Identity Server can be integrated with ADFS. Also it can be run as an XACML engine. XACML engine is exposed to out side as a SOAP end point as well as a Thrift end point.

Disclaimer : I am an architect at WSO2.

Prabath Siriwardena
  • 5,891
  • 1
  • 27
  • 34
1

There is Starter STS

http://startersts.codeplex.com/

which has lately been replaced by the IdentityServer:

http://identityserver.codeplex.com/

It's been for a while and has some features ADFS lacks (like the ability to use a MembershipProvider to authenticate users).

Also, crafting your own STS is relatively easy. There are some good tutorials around, I've also written few posts on this:

http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • I already knew about IdentityServer, but there is one concern: Is this mature enough? - I don't want to introduce any liability by adding 1 man os-project. Same thing for writing my own STS: I'm not security expert so I would like to use code that has been thoroughly tested and deployed. – Fdr Apr 02 '12 at 05:11
  • 1
    If you care much about security and still want to have a db as a user store then I recommend my 6 part tutorial showing how to federate ADFS with a custom STS in the background so that ADFS authenticates users in your custom STS and the STS is NOT exposed to end users. Start with the link above and read on all parts of the tutorial. – Wiktor Zychla Apr 02 '12 at 07:22
  • Thank you, this seems really interesting approach. Do I need additional license besides server license when using ADFS to federate to custom STS? ps. What has happened to identity server codeplex repo - source was removed in february? – Fdr Apr 04 '12 at 06:52
  • @Fdr: I don't remember any license other than the proper server license. – Wiktor Zychla Apr 04 '12 at 07:31
0

No experience of WSO2 but if you don't want to use ADFS you'll have no problems with Identity Server. Both ADFS and Identity Server and more commercial products such as Ping Identity play very nicely with WIF.

rbrayb
  • 46,440
  • 34
  • 114
  • 174