Windows Identity Foundation (WIF) is a framework for building identity-aware applications. The framework abstracts the WS-Trust and WS-Federation protocols and presents developers with APIs for building security token services and claims-aware applications. Applications can use WIF to process tokens issued from security token services and make identity-based decisions at the web application or web service.
WIF has the following major features:
- Build claims-aware applications (Relying Party Applications). WIF helps developers build claims-aware applications. In addition to providing a new claims model, it provides application developers with a rich set of APIs to help making user access decisions based on claims. WIF also provides developers with a consistent programming experience whether they choose to build their applications in ASP.NET or in WCF environments. For more information, see Claims Consumer – Relying Party Applications.
- Visual Studio Templates. WIF offers built-in Visual Studio Templates for claims-aware ASP.NET Web site and WCF Web service applications and reduces the learning curve to get familiar with the claims-based programming model. For more information, see Visual Studio Templates.
- Easy trust establishment between claims-aware application and STS. WIF provides a utility, named FedUtil, to allow easy trust establishment between claims-aware applications and an STS, such as Active Directory Federation Services 2.0 and a LiveID STS. FedUtil supports both ASP.NET and WCF applications. It is also integrated with Visual Studio so that it can be invoked from the Solution Explorer by right clicking on a project and choosing “Add STS Reference” menu item, or from the Tools menu in Visual Studio. For more information, see FedUtil – Federation Utility for Establishing Trust from an RP to an STS.
- ASP.NET Controls. ASP.NET controls simplify development of ASP.NET pages for building claims-aware Web applications. For more information, see Establishing Trust from an ASP.NET Relying Party Application to an STS using the FederatedPassiveSignIn Control.
- Translate between claims and NT tokens. WIF includes a Windows service named Claims to Windows Token Service (c2WTS) that acts as a bridge between claims-aware applications and NT token based applications. It provides developers with an easy way to convert claims to NT-Token identity and makes it possible to access the resources that require NT-Token based identity from a claims-aware application. For more information, see Claims to Windows Token Service (c2WTS) Overview.
- Build identity delegation support into claims-aware applications. WIF offers the capability of maintaining the identities of original requestors across the multiple service boundaries. This capability can be achieved by either using the “ActAs” or the “OnBehalfOf” functionality in the framework and it offers developers the ability to add identity delegation support into their claims-aware applications. For more information, see Integration with IIdentity and IPrincipal and Identity Delegation Scenario.
- Build custom security token services (STS). WIF makes it substantially easier to build a custom security token service (STS) that supports the WS-Trust protocol. Such an STS is also referred to as an Active STS.
In addition, the framework also provides support for building an STS that supports WS-Federation to enable Web browser clients. Such an STS is also referred to as a Passive STS.
The framework offers built-in Visual Studio Templates for building ASP.NET STSes and WCF STSes; these templates create simple STSes and developers can extend these and implement production STSes that suit their needs. For more information, see How to: Build an ASP.NET STS and How to: Build a WCF STS.
WIF supports the following major scenarios:
- Federation. WIF makes it possible to build federation between two or more partners. Its support for building claims-aware applications (RP) and custom security token services (STS) helps developers achieve this scenario. For more information, see Federation Scenario.
- Identity Delegation. WIF makes it easy to maintain the identities across the service boundaries so that developers can achieve an identity delegation scenario. For more information, see Identity Delegation Scenario.
- Step-up Authentication. Authentication requirements for different resources within an application may vary. WIF provides developers the ability to build applications that can require incremental authentication requirements (for example: initial login with Username/Password authentication and then step-up to Smart Card authentication). For more information, see Step-Up Authentication Scenario.