Single sign on using windows identity Foundation

0
votes

Client has 2 websites(site1.com,Site2.com) & one windows application. Both website uses form authentication against user data stored in sql server database(different DB for each website). Windows application uses Windows identity(AD) to authenticate uses. And more website/application may added in near future.

Client want to implement Single sign on for their all application. They want to build up SSO service as a component that can be plug in in any website/application with less afford.

As all website/application have their own user stored how we can develop a SSO component using WIF. I have read about WIF but could not identity responsibility of each individual website/application and SSO service. How to use SAML in STS.

Please suggest me best way to do it & any good link to read on.

Thanks, @Paul

2
c#single-sign-onwifsaml
so many acronyms in replies - LP13

2 Answers

0
votes

The normal STS for WIF is ADFS. That supports SAML. WIF itself does not support SAML.

ADFS uses AD for authentication - not a DB.

To use a DB, have a look at IdentityServer.

0
votes

A normal SSO scenario will include an implementation of a passive federation, that means you will have an STS that will have an authentication mechanism, be it forms or any other, that passive provider can have multiple Claim stores that will be used by different RP's. Each of your sites then become RP's to your Federation Provider which will issue you with SAML tokens. In simple steps, user comes into site one and tries to access a protected resource, the user is redirected to the FP if they are not authenticated, the FP issues a SAML token back to the calling RP and the user is allowed to access that resource. the user then clicks onto Site 2, which is an RP to the same FP, with the token issued, there is only a verification process once off on the token to issue a cookie and the user can access site 2 also and back to site one without need to reauth everytime.

Hope this helps but don't hesitate to post further should not require additional information.