Looking for a secure and robust STS implementation

484 views Asked by At

I am faced with a project that uses custom authentication via a WCF service that returns a set of claims based on some data identifying a user, close to user name and password. Then on top of this, I have a custom STS, derived from Microsoft.IdentityModel.SecurityTokenService, that resides in an ASP.NET web site project. This project looks like it was created with the VS2010 template, and not carefully had-crafted.

My gut feeling, and lots of on-line advice tell me that this web site STS project is very far from production ready. I am now looking for an MVC based STS that I can use in anticipation of being production ready. TinkTecture's IdentityServer looks promising, but it is so much more than simply implementing a custom derivation of SecurityTokenService, I have no idea where to start. If somebody could steer me toward an open project or walk-through that does this, or offer some guidance as to where and how I can start extending or modifying Identity Server, that would be great.

2

There are 2 answers

0
MvdD On BEST ANSWER

Have you looked at the MSDN article by Michele Leroux Bustamante?

It's a little old and based on WCF, but it has code accompanying it.

Building A Custom Security Token Service

If you want ASP.NET based example, Microsoft published this: ASP.NET Security Token Service Web Site

There's also this STS project on CodePlex.

4
rawel On

Have you looked at Thinktecture.IdentityServer v3? I'm at the moment using it and very simple to use. It is still in Beta but RTM will be available soon. It has good documentation and samples too.

https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started

https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki

Update: Identity Server 4 is also available. It supports cross-platform deployment with .NET Core. https://github.com/IdentityServer/IdentityServer4/