Windows Identity Foundation: Active Federation client (which is previous relying party) accessing relying party with token

0
votes

I am setting up a STS using WIF which will support active and passive federation.

There will be multiple services which use the STS as relying parties.

I want to know how the scenario works and is implemented where one service (eg. RelyingParty1) is the client of another service (eg. RelyingParty2) where the client of RelyingParty1 (a physical person/user) authenticates via STS/Idp username and login and RelyingParty1 wants to use RelyingParty2.

Does RP2 communicate with the STS at all, or is a valid token passed from RP1 to RP2? Is there specific configuration needed for this?

If RP2 can/does communicate with STS to verify token/authenticate (SSO is not a requirement so checking each time might be desirable) how does the STS know to use the physical user of RP1 as the IClaimsIdentity/IClaimsPrincipal and not the user that RP1 is running as?

1
wifclaims-based-identitysts-securitytokenservice

1 Answers

3
votes

A Relying Party (RP) is the entity that expects a Security Token from an STS (an issuer of tokens). A user of the RP is called a "subject" (or user) and it is not an RP.

The RP knows that the token is valid because it is digitally signed by the STS it trusts, so (generally) no communication between the RP and the STS is required.

You can chain STSs:

RP -> STS1 -> STS2 -> User

In this scenario, STS1 is also a "Relying Party" because it is relying on STS2 to get a valid token. In this scenario STS1 may also be called a "Federation Provider".

I would suggest reading the first chapter of this guide: http://msdn.microsoft.com/en-us/library/ff423674.aspx

It will give you an introduction of terminology and architecture.