Looking for a secure and robust STS implementation

Asked 25/11, 2014 at 6:25 Answered 3/12, 2014 at 21:34

Solved asp.net-mvc claims-based-identity sts-securitytokenservice

I am faced with a project that uses custom authentication via a WCF service that returns a set of claims based on some data identifying a user, close to user name and password. Then on top of this, I have a custom STS, derived from Microsoft.IdentityModel.SecurityTokenService, that resides in an ASP.NET web site project. This project looks like it was created with the VS2010 template, and not carefully had-crafted.

My gut feeling, and lots of on-line advice tell me that this web site STS project is very far from production ready. I am now looking for an MVC based STS that I can use in anticipation of being production ready. TinkTecture's IdentityServer looks promising, but it is so much more than simply implementing a custom derivation of SecurityTokenService, I have no idea where to start. If somebody could steer me toward an open project or walk-through that does this, or offer some guidance as to where and how I can start extending or modifying Identity Server, that would be great.

Rupe answered 25/11, 2014 at 6:25 Comment(0)

Have you looked at the MSDN article by Michele Leroux Bustamante?

It's a little old and based on WCF, but it has code accompanying it.

Building A Custom Security Token Service

If you want ASP.NET based example, Microsoft published this: ASP.NET Security Token Service Web Site

There's also this STS project on CodePlex.

Saccharo answered 3/12, 2014 at 21:34 Comment(0)

Have you looked at Thinktecture.IdentityServer v3? I'm at the moment using it and very simple to use. It is still in Beta but RTM will be available soon. It has good documentation and samples too.

https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started

https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki

Update: Identity Server 4 is also available. It supports cross-platform deployment with .NET Core. https://github.com/IdentityServer/IdentityServer4/

Leu answered 28/11, 2014 at 0:32 Comment(4)

Thanks. I do mention above that I have looked at IdSvr v3, but it is a bit harder than v2 to use, in it has no admin UI etc. And, it's way more than I need, but I might get back to it later. – Rupe 28/11, 2014 at 3:26

At the moment I'm using IdentityManager(github.com/thinktecture/Thinktecture.IdentityManager) for user management. You are correct about the limitations of admin ui. Hopefully it will get better with RTM. – Leu 28/11, 2014 at 4:14

This is the thing. All my user management etc. is external - I only need a secure token, which is why I think IdSvr is some overkill. – Rupe 28/11, 2014 at 7:48

github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/… can be used with external user management system. Sorry, I'm only familiar with Idsrv, So not sure if this really helps you. – Leu 29/11, 2014 at 1:8