A passive STS is an STS that implements security token issuance using the WS-Federation passive protocol. In WIF, a passive STS is usually built as an ASP.NET Web site and is hosted in IIS. WIF provides the ASP.NET Security Token Service Web Site template to help you build a simple STS that can be used for evaluation. To build a production STS, you would need to consider the necessary scalability and security considerations per your business needs. Do not use the simple STS as-is in your production environment. For more information, see ASP.NET Security Token Service Web Site.

The WIF STS instancing model is per-call. This means that an STS instance is intended only for a single use: that is, you create a new instance of an STS, make the necessary method calls (such as Issue), and then clear that STS instance. If you try to use the same STS instance to call Issue across multiple token requests, rather than creating a new STS instance for each token request, the behavior is undefined.