StarterSTS Documentation

Overview & Architecture

Starter STS is a compact, easy to use security token service built with the Windows Identity Foundation. The authentication and attribute store that is completely based on the ASP.NET provider infrastructure. The idea behind this project was to create a sample STS that incorporates the common (and best) practices as well as the learned lession in STS design from the past years.

Disclaimer Though you could use StarterSTS directly as a production STS, be aware that this was not the design goal. StarterSTS did not go through the same testing or quality assurance process as a "real" product like ADFS2 did. StarterSTS is also lacking all kinds of enterprisy features like configuration services, proxy support or operations integration.

The main goal of StarterSTS is to give you a learning tool for building non-trivial security token services. Another common scenario is to use StarterSTS in a development environment.

High-level features

• Active and passive security token service
• Supports WS-Federation, WS-Trust, SAML 1.1/2.0 tokens and Information Cards
• Supports username/password and client certificate authentication
• Based on standard ASP.NET membership, roles and profile infrastructure
• Control over security policy (SSL, encryption, SOAP security) without having to touch WIF/WCF configuration directly
• Automatic generation of WS-Federation metadata for federating with relying parties and other STSes

StarterSTS consists of three conceptual parts.

Endpoints

StarterSTS supports various endpoints through which you can request tokens.

• WS-Federation Passive Profile for web applications
• WS-Trust for SOAP based appplications
• WS-Metadata and Federation Metadata
• Simple HTTP based endpoint for lightweight clients
• Conversion of OpenID logons to WS-Federation/SAML tokens

Security policy and policy engine

Various configuration settings define the security policy of the token service.

• Certificates used for signing and transport security
• Relying party registration
• Client authentication methods
• Evaluation of request parameters against security configuration

User and Claims Store

All back-end stores in StarterSTS are based on the standard ASP.NET provider infrastructure.

• Membership is used to authenticate users and to create name and email claims
• Roles is used to create role claims
• Profile is used to create additional user specific claims (either pre-populated or in self-service)