StarterSTS Documentation

Customizing StarterSTS with internal Provider

StarterSTS uses a number of internal "mini" provider to componentize the work. These providers abstract away some of the details in the following areas: certificate loading, providing claims and display tokens, relying party management and mapping of user credentials.

Below you'll find a description of every provider and information on how to customize them.

Overview

Every provider feature consists of the following pieces:

• A base class.
• One or more implementations.
• A configuration entry that specifies the provider implementation to use.
• A static facade class that loads the provider implementation and brokers access to it.

Certificate provider

The certificate provider encapsulates the details how the necessary certificates for the STS are loaded. The default implementation loads certificates using the certificateReferences configuration section.

Base Class

public abstract class CertificateProviderBase
{
    public abstract X509Certificate2 Get(string name);
}

Remarks

The Get method must be able to resolve well-known strings like SigningCertificate, SSL and BridgedSigngingCertificate.

Registration

Specify the type that implements the custom provider in the certificateProvider attribute in starterSTS.config.

Claims provider

The certificate provider encapsulates the compilation of claim metadata and value. It has three jobs:

• Retrieve claims for a user (used during token issuance)
• Retrieve description of all possible claims (used for information card and metadata creation).
• Create display token (used during issuance when a display token is requested)

Base Class

public abstract class ClaimsProviderBase
{
    public abstract IClaimsIdentity GetClaims(PolicyOptions options, IClaimsPrincipal principal);
    public abstract List<DisplayClaim> GetDisplayClaims();
    public abstract DisplayToken GetDisplayToken(string requestedDisplayTokenLanguage, IClaimsIdentity subject);
}

Registration

Specify the type that implements the custom provider in the claimsProvider attribute in starterSTS.config.

Relying Party provider

This provider encapsulates the details of how relying parties are stored, and how their information is retrieved at runtime. The provider has only a single method which returns a RelyingParty object, when the relying party is registered.

Base Class

public abstract class RelyingPartyProviderBase
{
    public abstract bool TryGet(string realm, out RelyingParty relyingParty);
}

Registration

Specify the type that implements the custom provider in the relyingPartyProvider attribute in starterSTS.config.

User mappings provider

This provider encapsulates the client certificate thumbprint to user (ande vice versa) mapping.

Base Class

public abstract class UserMapperBase
{
    public abstract bool TryGetUserNameFromThumbprint(string thumbprint, out string userName);
    public abstract bool TryGetThumbprintsForUser(string userName, out List<string> thumbprints);
}

Registration

Specify the type that implements the custom provider in the userMapper attribute in starterSTS.config.