I am building 3 new websites and want to use WIF4.5 for SSO across these 3 different domains. I have read tons of materials about the WIF, while I understand the principles and purpose of WIF I am still very confused about how it works in real life, please help me understand the following questions, many thanks.

All my sites will be hosted using shared hosting services.

1. Everyone is saying that there's no need to build you own STS, but if that's case where can I found external services I can use to sign in my users and what about normal user registration interface for new users? and What about my existing users?

2. If i only need to build claim based web applications, where do I get user identities from in a real production environment? Do I have to pay them or do they need to go through my sites to approve them?

3. Is it correct that its no longer possible to let user register on my websites if I use STS?

4. Do I need to enable SSL and buy X507 certs for all my sites if I want them to be claim based websites?

5. I want to have a shared user database to store all our users, old and new, does that mean I have to build my own STS?

6. What exactly does it take to build my own STS, can I pcik one of my websites to be my own STS provider for my own websites?

7. What does it take and cost to build a STS? like SSL, certs, other stuff?

8. Can I enable social sign-in like facebook/Google/Yahoo if my sites are claim based?

Thank you guys.

1. You definitely CAN write your own sts.
2. You can allow your users to register in your sts or federate with an external identity provider (google/facebook)
3. No, an sts is just a asp.net web app, users CAN register there.
4. No, although ssl is recommended when usernames/passwords are involved.
5. No, you can use an existing sts like the IdentityServer which allows you to use a custom MembershipProvider against your own database http://thinktecture.github.io/
6. Yes. http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
7. X509 certs for token signing can be created with free tools like portecle or makecert
8. Yes.

Microsoft has the Access Control Service (ACS) which supports Windows Live ID, Google, Yahoo!, and Facebook logins. Unless you need to option for users to register accounts at your site that might be a good option.

If you want a (1) free solution as an STS or (2) want to have your own Id store, Thinktecture's identity server is the way to go.

I have some written some tutorials on how to do it.

http://claudioasanchez.blogspot.com/2011/09/setting-up-thinktectures-identity.html