Straight from Microsoft this is what the Windows Identity Foundation is:

Windows Identity Foundation helps .NET developers build claims-aware applications
that externalize user authentication from the application, improving developer productivity,
enhancing application security, and enabling interoperability. Developers can enjoy
greater productivity, using a single simplified identity model based on claims. They
can create more secure applications with a single user access model, reducing custom
implementations and enabling end users to securely access applications via on-premises
software as well as cloud services. Finally, they can enjoy greater flexibility in
application development through built-in interoperability that allows users, applications,
systems and other resources to communicate via claims.

In other words it is a method for centralizing user Identity information, very much
like how the Windows Live and OpenID systems work.  The system is reasonably
simple.  I have a Membership data store that contains user information. 
I want (n) number of websites to use that membership store, EXCEPT I don’t want each
application to have direct access to membership data such as passwords.  The
way around it is through claims.

In order for this to work you need a central web application called a Secure Token
Service (STS).  This application will do authentication and provide a set of
available claims.  It will say “hey! I am able to give you the person’s email
address, their username and the roles they belong to.
”  Each of those pieces
of information is a claim.  This message exists in the application’s Federation

So far you are probably saying “yeah, so what?”

What I haven’t mentioned is that every application (called a Relying Party) that uses
this central application has one thing in common: each application doesn’t have to
handle authentication – at all.  Each application passes off the authentication
request to the central application and the central application does the hard work. 
When you type in your username and password, you are typing it into the central application,
not one of the many other applications.  Once the central application authenticates
your credentials it POST’s the claims back to the other application.  A diagram
might help:


Image borrowed from the Identity Training kit (

The key takeaway is that only one single application does authentication.  Everything
else just redirects to it.  So lets actually see what it takes to authenticate
against an STS (central application).  In future posts I will go into detail
about how to create an STS as well as how to use Active Directory Federation Services,
which is an STS that authenticates directly against (you guessed it) Active Directory.

First step is to install the Framework and SDK.



The SDK will install sample projects and add two Visual Studio menu items under the
Tools menu.  Both menu items do essentially the same thing, the difference being
that “Add STS Reference” pre-populates the wizard with the current web application’s

Once the SDK is installed start up Visual Studio as Administrator.  Create a
new web application.  Next go to the Properties section and go into the Web section. 
Change the Server Settings to use IIS.  You need to use IIS.  To
install IIS on Windows 7 check out this post


So far we haven’t done anything crazy.  We’ve just set a new application to use
IIS for development.  Next we have some fun.  Let’s add the STS Reference.

To add the STS Reference go to Tools > Add Sts Reference… and fill out the initial


Click next and it will prompt you about using an HTTPS connection.  For the sake
of this we don’t need HTTPS so just continue.  The next screen asks us about
where we get the STS Federation Metadata from.  In this case I already have an
STS so I just paste in the URI:


Once it downloads the metadata it will ask if we want the Token that the STS sends
back to be encrypted.  My recommendation is that we do, but for the sake of this
we won’t.


As an aside: In order for the STS to encrypt the token it will use a public key to
which our application (the Relying Party) will have the private key.  When we
select a certificate it will stick that public key in the Relying Party’s own Federation
Metadata file.  Anyway… When we click next we are given a list of available Claims
the STS can give us:


There is nothing to edit here; it’s just informative.  Next we get a summary
of what we just did:


We can optionally schedule a Windows task to download changes.

We’ve now just added a crap-load of information to the *.config file.  Actually,
we really didn’t.  We just told ASP.NET to use the Microsoft.IdentityModel.Web.WSFederationAuthenticationModule
to handle authentication requests and Microsoft.IdentityModel.Web.SessionAuthenticationModule
to handle session management.  Everything else is just boiler-plate configuration. 
So lets test this thing:

  1. Hit F5 – Compile compile compile compile compile… loads up http://localhost/WebApplication1
  2. Page automatically redirects to (notice
    the variables we’ve passed?)
  3. Type in our username and password…
  4. Redirect to http://localhost/WebApplication1
  5. Yellow Screen of Death

Wait.  What?  If you are running IIS 7.5 and .NET 4.0, ASP.NET will probably
blow up.  This is because the data that was POST’ed back to us from the STS had
funny characters in the values like angle brackets and stuff.  ASP.NET does not
like this.  Rightfully so, Cross Site Scripting attacks suck.  To resolve
this you have two choices:

  1. Add <httpRuntime requestValidationMode="2.0" /> to your web.config
  2. Use a proper RequestValidator that can handle responses from Token Services

For the sake of testing add <httpRuntime requestValidationMode="2.0"
/> to the web.config and retry the test.  You should be redirected to http://localhost/WebApplication1 and
no errors should occur.

Seems like a pointless exercise until you add a chunk of code to the default.aspx
page. Add a GridView and then add this code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Threading;
using System.IdentityModel;
using System.IdentityModel.Claims;
using Microsoft.IdentityModel.Claims;

namespace WebApplication1
    public partial class _Default : System.Web.UI.Page
        protected void Page_Load(object sender, EventArgs e)
            IClaimsIdentity claimsIdentity = ((IClaimsPrincipal)(Thread.CurrentPrincipal)).Identities[0];

            GridView1.DataSource = claimsIdentity.Claims;

Rerun the test and you should get back some values.  I hope some light bulbs
just turned on for some people :)


Join the conversation