Implementing SSO using Passive Federated Identity and login page on relying party

0
votes

We have implemented SSO (Single Sign-On) for a group of websites with different domain names using passive federated identity (C#, ASP.Net MVC 3, WIF). The setup works fine as it follows the standard passive federation with login page hosted on STS.

www.brand1.com
www.brand2.com
...
www.sts.com (login page hosted here)

Now the client wants that login pages are implemented on each relying party so that the user does not get redirected to STS. The reason is that each relying party is a known brand therefore redirecting to a different domain name (hosting STS) is not acceptable for the respective brand. Customizing login pages on STS for each brand is not acceptable either.

Is there a way to move login pages to relying parties?

1
asp.net-mvc-3wifsingle-sign-onfederated-identitysts-securitytokenservice

1 Answers

2
votes

There are two routes you could go with this:

  1. You can create a login page on each relying party that uses active federation to authenticate your users. This is dependent on the STS offering a WS-Trust endpoint.
  2. If you have control over the STS code, you can simply have your relying parties POST the login credentials (username/password) to the STS, and the STS site would process the authentication request as before. This is an approach I've used successfully in the past.

Hopefully this helps.