Windows Identity Foundation does not officially su

2020-05-28 10:39发布

问题:

We would like to use SAML 2.0 for a Single Sign On solution. As a typical Microsoft shop, we prefer to use Microsoft components as much as possible. Windows Identity Foundation supports SAML 2.0, but the extension is still in Community Technology Preview (CTP) for more than a year, with no information anywhere on future course. See http://blogs.msdn.com/b/alikl/archive/2011/05/16/windows-identity-foundation-wif-extension-for-saml-2-0-protocol-community-technology-preview-ctp.aspx

I came across an inspiring article by Michèle Bustamante: http://www.devproconnections.com/article/federated-security/generate-saml-tokens-using-windows-identity-foundation She actively promotes WIF + SAML 2.0, but nowhere in the article she talks about CTP or final release. Neither could I reach her for a clarification.

With this background, is it safe to use WIF Community Technology Preview for SAML 2.0 or stick with SAML 1.1? Does SAML 2.0 offer significant advantage over SAML 1.1? Is the future of SAML 1.1 in question?

Any other alternatives?

回答1:

You should clarify whether you're talking about SAML 2.0 protocol (e.g SAMLP) or just the token type. WIF RTM supports SAML 2.0 tokens, but not SAMLP.

So if it's just SAML 2.0 token support you need, WIF RTM is sufficient, though WIF extensions CTP does add some SAMLP support.

If you're looking for a SAMLP solution and you're a Microsoft shop then you should consider ADFS 2.0.

ADFS 2.0 would do "protocol transition": it will talk SAMLP with the Identity Provider and WS-Federation with your app (both use SAML "Tokens"). WIF supports WS-Federation.



回答2:

Take a look at Identity Server which is a STS that does use SQL Server for authentication. You can easily federate this with ADFS.

From what I remember about reading the licence agreement for the CTP release, it's just out there for comment - you can't use it e.g. in a Production environment.

As per @Eugenio, WIF only supports WS-Federation.

How were you intending to "stick with SAML 1.1"?

Update: What I suggest is that you use Identity Server to do the authentication against the DB. Your WIF applications are bound using FedUtil to Identity Server. You then federate Identity Server with ADFS. Your external parties use SAML to talk to ADFS and ADFS will handle the plumbing to enable them to authenticate with the Identity Server DB.

Note that WIF doesn't support SAML at all.