|Do not right-click on your project and select “Add STS Reference...” in an ASP.NET STS project. Doing so will overwrite your STS’s metadata.|
In Visual Studio, open the File menu and select New, Web Site. Select ASP.NET Security Token Service Web Site.
If you look at your web.config file, you’ll see a number of differences from the web.config for a typical ASP.NET Web site.
- The following application settings have been
<appSettings> <add key="IssuerName" value="PassiveSigninSTS"/> <add key="SigningCertificateName" value="CN=STSTestCert"/> <add key="EncryptingCertificateName" value=""/> </appSettings>
- All users have been granted access to the
federation metadata. The federation metadata contains information
about the public key of the token signing certificate, the
endpoints that are exposed by the STS, and what claims are
<location path="FederationMetadata"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
<system.Web>/<assemblies>element now contains a reference to the Microsoft.IdentityModel.dll assembly:
<add assembly="Microsoft.IdentityModel, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
- Forms authentication and a login page are
<authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" /> </authentication> <!-- Deny Anonymous users. --> <authorization> <deny users="?" /> </authorization>
- A trace has been added, which you can
uncomment to enable tracing. For more information, see WIF Tracing and
How to: Enable
<!-- Uncomment the lines below to enable WIF tracing to: WIFTrace.e2e. Open the trace file using the SvcTraceViewer.exe tool (shipped with the WCF SDK available from Microsoft) or a xml viewer. Refer to MSDN if you wish to add WCF tracing. --> <!--<system.diagnostics> <sources> <source name="Microsoft.IdentityModel" switchValue="Verbose"> <listeners> <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="WIFTrace.e2e" /> </listeners> </source> </sources> <trace autoflush="true" /> </system.diagnostics>-->
In the App_Code folder, open CustomSecurityTokenService.cs.
static readonly string PassiveRedirectBasedClaimsAwareWebAppsto include the URLs of relying party applications to which you want this STS to issue tokens.
- In the override of the
GetOutputClaimsIdentity method, add the claims that your
relying party application requires the STS to issue, as well as any
custom claims that you want your STS to issue.
CustomSecurityTokenService.cs implements the following required methods.
- GetScope. This method takes the caller’s IClaimsPrincipal and the incoming RST and
returns the configuration for the token issuance request, which is
represented by the Scope class. In this method, you can normalize
the relying party’s address and choose signing and encryption keys.
Typically, security tokens are encrypted so that only the relying
party can read them.
- GetOutputClaimsIdentity. This method takes the caller’s
IClaimsPrincipal, the incoming RST, and
the Scope object returned from GetScope, and
returns the IClaimsIdentity to be included in the issued
token. This lets you decide which claims are included in the