This relates to, but I'm quite sure does not duplicate, my question: Looking for a secure and robust STS implementation
Since asking that, some input from business, and some research, has led me to believe that instead of implementing a secure token service to wrap my custom identity provider, I can delegate the issuing of tokens to the identity provider itself.
The identity provider is a WCF service that returns a collection of claims when it successfully authenticates a user, based on some identifying data for the user. E.g.
[ServiceContract(Namespace = "http://namespace")]
public interface IIdService
{
[FaultContract(typeof(IdServiceFault))]
[OperationContract]
ICollection<Claim> Authenticate(string idDatum1, string idDatum2);
}
where Claim
is Microsoft.IdentityModel.Claims.Claim
. I am currently stuck with a an example only quality STS implementation, as a web site project, but if at all possible, I would like to simply move the task of issuing and signing tokens into the identity provider, and eventually qualify it as a WS-Federation Identity Provider, that I can later include in my Azure Access Control's providers.
If this is possible, what do I need to do in the WCF service?
WS_Fed authentication works much the same way as SAML authentication does. The details of what it sends are called different things, but the flow of information is similar. WS-Fed uses a different protocol than SAML, and the information that it needs in the response token is different.
Web Services Federation (WS-Federation) is an identity protocol that allows a Security Token Service (STS) in one trust domain to provide authentication information to an STS in another trust domain when there is a trust relationship between the two domains.
The portals feature isn't limited to only Azure AD, multitenant Azure AD, or Azure AD B2C as the WS-Federation providers. You can use any other provider that conforms to the WS-Federation specification. Changes to the authentication settings might take a few minutes to be reflected on the portal.
WS-Federation is part of the larger Web Services Security (WS-Security) framework which provides a means for applying security to web services through the use of security tokens.
"One doesn't just knock together a WS-Federation Identity Provider" - there are a lot of necessary complexities involved, mostly to ensure the security, integrity and provability of the claims being asserted.
You do NOT want to get this stuff wrong - look at what happened at Target, Home Depot, Sony and others of late!
I strongly encourage you to read and re-read Michele Leroux Bustamante's "Building A Custom Security Token Service" article until you thoroughly understand the role of an STS and the various complexities involved in doing so.
Note that in order to build a secure STS you'll need to support SAML, WS-Security, WS-Trust, WS-Federation and use SSL for secure transport of tokens and data. You'll need to carefully implement the various stages of the communication protocol necessary to permit the federation of identity information.
Once you've deeply grokked the subject matter, you'll have a much better understanding of why it's likely a good idea to build an STS as a façade service that sits alongside/in-front-of your existing Identity service - rather than "pollute" your existing service with the considerable complexities involved in building an STS.
If this all seems like a heck of a lot of work, it is (and it should be - security is really, REALLY hard!).
I would strongly recommend you consider using Thinktecture's Identity Server instead of building your own. The awesome Dominick Baier & team have done an awesome job of building a robust, well engineered, open-source Identity Server that supports WS-Fed as well as OpenID, OAUTH, etc.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With