I think for a good viewer, it's not enough to just translate something from MSDN or Wikipedia, here .
Windows Identity Foundation (WIF) is a Microsoft software framework for creating "Identity-aware" applications. It provides APIs for building ASP.NET or WCF-based security token services, as well as tools for building applications capable of "claims-aware" recognition.
Claim-aware is a common way for applications to get information about who is logging (Identity) within the corporation, or even on the Internet. It also provides a very solid approach to running intranet or internet applications.
Authentication with STS works by issuing a token by an identity-certifying agent. Read about STS here
An example of STS authentication is at this site: Nfp SP with accessing with the digital certificate option.
Now that you're already contextualized, time to put your hands in the dough.
To develop an application with STS authentication, you first need a server that is digitally signed so that it can emit your token.
Then you need to add this certificate to your TrustedIssuer List (example here / a>)
After this everything is necessary to implement authentication based on Windows Federated Authentication. It is very common to use smartcards for this, just by entering your PIN number and unlocking access to the application. Oh, the Card in turn needs to be made by a reliable agency, For example, the official press.
The example I will use is using an application written in ASP.NET MVC authenticating by WIF.
public abstract class SecurityController : Controller
{
// Fields
private IdentitySection _identityConfig;
// Methods
[AcceptVerbs(HttpVerbs.Post), ValidateInput(false), AllowAnonymous]
protected ActionResult ProcessToken()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (wSFederationAuthenticationModule.CanReadSignInResponse(System.Web.HttpContext.Current.Request, true))
{
str = System.Web.HttpContext.Current.Request.Form["wctx"];
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
[AllowAnonymous]
public ActionResult SignIn(string issuer)
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
string str = null;
if (!base.User.Identity.IsAuthenticated)
{
str =
new SignInRequestMessage(new Uri(string.IsNullOrEmpty(issuer) ? wSFederationAuthenticationModule.Issuer : issuer),
wSFederationAuthenticationModule.Realm, wSFederationAuthenticationModule.Reply).WriteQueryString();
}
return new RedirectResult(str ?? wSFederationAuthenticationModule.Reply);
}
public ActionResult SignOut()
{
var wSFederationAuthenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
if (base.User.Identity.IsAuthenticated)
{
wSFederationAuthenticationModule.SignOut(false);
}
return new RedirectResult(wSFederationAuthenticationModule.Reply);
}
// Properties
protected IdentitySection IdentityConfig
{
get
{
return (this._identityConfig ?? (this._identityConfig = (IdentitySection)ConfigurationManager.GetSection("federatedMvc.identity")));
}
}
}
federatedMvc.identity é uma seção do seu Web.Config que conterá suas chaves de segurança para o seu servidor STS.
For example:
<federatedMvc.identity securityController="Seguranca">
<authenticationUris>
<add type="Certificate" uri="https://CapsuleCorp/Identity.STS.Certificado/Login.aspx" />
</authenticationUris>
</federatedMvc.identity>
Then you need to add the <microsoft.identityModel>
section to your web.config as well.
and then point the required items according to the example:
<service>
<audienceUris>
<add value="http://CapsuleCorp.com/FindDragonBalls" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" persistentCookiesOnPassiveRedirects="false"
issuer="https://CapsuleCorp.com/Identity.STS.Certificado/Login.aspx"
realm="http://CapsuleCorp.com/realm" reply="http://CapsuleCorp.com/home" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add name="CN=CapsuleCert" thumbprint="89cf12ef1f36a9bacaa4e813a44bb699bb46c359" />
</trustedIssuers>
</issuerNameRegistry>
</service>
After this you can consult all the claims returned by the claim service,
deny access or redirect somewhere, then the sky will be the limit. And with that, based on each claim, you can direct your efforts, any questions do not hesitate to ask.