In this chapter, we will go deeper into the anatomy of Windows Identity Foundation and explore the runtime features that can help us in creating Security Token Service implementations in real world scenarios. We'll cover the following:
- Implementing the claims pipeline
- Designing a custom Identity Provider Security Token Service (IP-STS)
- Designing a custom Relying Party Security Token Service (RP-STS)
- Implementing support for SAML 2.0 Tokens
- Implementing Windows identity impersonation with the Claims to Windows Token Service (C2WTS)
- Troubleshooting and monitoring in WIF
In the previous chapter, we have seen an implementation of SecurityTokenService (Microsoft.IdentityModel.SecurityTokenService) that comes with the WIF runtime. The implementation is used for authentication and authorization in a federation scenario. It would suffice the identity needs of most of the applications developed on .NET Framework 4.0. However, there are scenarios where you need a better control over how the security token gets generated (and encrypted) and is sent across trust realms. What if an out-of-band metadata exchange is not possible? What if you need to create a security token based on the SAML 2.0 Web Browser SSO Profiles specification?
The recipes in this chapter are designed to demonstrate the ability to write your own implementation of a Security Token Service using the WIF runtime features, allowing better control over the process of creating, transmitting, and consuming a security token based on the SAML 1.1 and SAML 2.0 specifications. In addition, we will also discuss the process of implementing on-demand user impersonation and protecting static content using the Claims-to-Windows Token Service (C2WTS) and look at ways of troubleshooting issues with the WIF runtime.