http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660I agree. I wasted way too much time myself learning about WS-Trust and STSs and trying to hack sample code to make it work before I finally gave up. I find it frustrating that Microsoft provides an STS in the cloud for you to use, but doesn't give you the source code to a fully-functional STS to study, modify, and use. I also couldn't find any good answers to making WCF federated security work well with queuing and occasionally-connected smart clients. http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment7http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment7Tue, 26 Feb 2008 23:08:51 GMTYes, with WCF v1 (in .NET 3.0), Federation can get complex. If you just want to consume a WS-Federation service, or expose such a service, it's actually pretty straight-forward (just use the wsFederationHttpBinding). However, if you want to create an STS, it get's complicated fast. The same holds true if you want to implement a custom protocol, or similar. The SDK comes with quite a few samples that should ease your pain a bit. Still, the WCF team has realised that it could be simpler, and it's my understanding that it will become simpler in future releases. If this subject interests you, you should keep an eye on Vittorio's blog: http://blogs.msdn.com/vbertocci/default.aspx Right now, this stuff is complex for a number of reasons. One of them has to do with open standards compliance; another with the myriad of extensibility points in WCF. In any case: Don't be afraid of the XML! With WCF, everything you can put in your app.config file, you can also express imperatively in code. As an agile developer, you really have to love WCF, but I grant that Federation isn't the simplest scenario to start out with :) http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment6http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment6Tue, 26 Feb 2008 22:56:29 GMTthat is right, last year I got i working by creating a security provider. After that my custom security token was accepted without a flaw. Dont stop while you're close ! regards http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment5http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment5Tue, 26 Feb 2008 20:39:12 GMTYitzchok, That is actually pretty easy. Create an security provider and run from there. http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment4http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment4Tue, 26 Feb 2008 09:41:15 GMTCouldn't agree more. We actually got federated security working with a custom token and good grief...it's a mess. Delicate, brittle house of cards - slight breath of air and the whole thing comes tumbling down... I've asked *why* we need to go this route and I hear "best practices" in response. If I need to do single sign-on with a third party then yeah, the whole federated thing can be stitched in via configuration, but if it's within my own app...WTF - don't need it. Already have message / transport level security - what the hell does the rest of it buy you except a bunch of mindless complexity... http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment3http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment3Tue, 26 Feb 2008 06:32:17 GMTWhat about getting Rino Security working nice with WCF? 200 lines of XML (I am getting dizzzzzzy) http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment2http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment2Tue, 26 Feb 2008 05:42:48 GMTIs WCF a layer on top of WS-Deathstar to make it more complicated? http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment1http://ayende.com/3166/wcf-federated-security-and-custom-authentication-token-oh-my#comment1Tue, 26 Feb 2008 05:23:36 GMT