The STS is the component of an issuing authority that is responsible for accepting incoming requests, validating and decrypting incoming security tokens, extracting claims from incoming tokens, packaging claims into outgoing security tokens, and encrypting outgoing security tokens. WIF makes it easy to build your own STS by handling these details, and also provides extensibility points that let you implement your security policy. A policy answers questions such as the following.
- For what relying party applications am I
providing security tokens?
- What claims do those applications care
- How should I authenticate users?
- Do different applications have different
- What partners am I federating with?
In most cases, your best choice is to use an existing STS such as Active Directory® Federation Services (AD FS) 2.0. You should use WIF if you need to implement a security policy that existing STSes don’t support.
You create your own STS by deriving from SecurityTokenService, which is provided by WIF. You must implement the following two methods on this class:
- GetScope. This method takes the caller’s IClaimsPrincipal and the incoming RST and
returns the configuration for the token issuance request, which is
represented by the Scope class. In this method, you can normalize
the relying party’s address and choose signing and encryption keys.
Typically, security tokens are encrypted so that only the relying
party can read them.
EncryptingCredentials determines whether or not tokens are encrypted. TokenEncryptionRequired and SymmetricKeyEncryptionRequired also default to true to prevent the STS from issuing insecure tokens.
- GetOutputClaimsIdentity. This method takes the caller’s
IClaimsPrincipal, the incoming RST, and
the Scope object returned from GetScope, and
returns the IClaimsIdentity to be included in the issued
token. This lets you decide which claims are included in the