WIF, STS and Membership tables

Question

I'm currently looking into using WIF for an upcoming project and would appreciate some help finding information. I've looked around a bit and don't have a decisive answer.

I have a current site that runs off ASP membership, and I have a large number of users in those tables.

• Are there any trusted custom STS's out there that use the membership table?
• Would my current site, which uses ASP membership require much change to use WIF and a STS?
• Do I have to use a certificate when using WIF?
• What is the difference between ADFS and ASP Membership implementation?
• Are their any easier MS based solutions to SSO out there?

Thank you for any help you can provide.

Answer 1

• Take a look at IdentityServer for a custom STS that uses the SQL Server Membership Provider. (Update: The project page is changed to http://thinktecture.github.io/Thinktecture.IdentityServer.v2/ Code has moved to https://github.com/thinktecture/Thinktecture.IdentityServer.v2)

• Most of the changes to your current site would involve configuration and including the Windows Identity Foundation (WIF) library. Since the identity model in WIF builds on top of the ASP.NET identity model, there shouldn't be much of a coding change unless you're doing anything highly customized with the user principal.

• At the minimum, you will need two certificates. First, you will need an SSL certificate for your site since the AD FS endpoint must be HTTPS. You will also need a signing certificate on AD FS and your web server that will be used to validate the token that AD FS delivers. You can optionally encrypt the security token, which would require another certificate.

• AD FS uses ActiveDirectory Domain Services (AD DS) for authentication. Since it's an STS, there's really no comparison between it and the ASP.NET Membership provider. Take a look at this article for a complete explanation of claims-based authentication.

• If you're looking for an easier SSO solution, there are options out there. I would google around since you'll find several .NET solutions. I can't speak to any one in particular since it depends on your requirements.

Hopefully this helps.

Answer 2

Take a look at: Get Started with Windows Identity Foundation.

@Garret has summed it up pretty well.

I assume your application is ASP.NET?

Just to add that for your second question (re. changes), for authentication, there aren't many changes beyond configuration and including WIF.

However, for authorisation you will now receive all the attributes you require bundled up as claims. This may be a non-trivial change depending on how you currently access these attributes.

For ADFS, these attributes can be derived from AD, LDAP, SQL Server or via a custom claims provider.