Classic ASP and WIF

Classic Asp (as I understand it) is not really “encouraged” by Microsoft (e.g. there is no classic ASP project in VS) and essentially is a collection of asp pages that contain HTML and some kind of scripting. There’s no .config file as such.

That being the case., can classic ASP sites be integrated into WIF?

How do you “force” the application to authenticate using a STS? (There’s no .config file for FedUtil to change).

How do you approach the problem of a large customer that still has a lot of legacy classic ASP sites and wants to move to federated authentication using a STS?

P.S. There is a reference on the Internet i.e. “In IIS7 you select the URLAuthorisation Module and untick the use for managed code only setting. I have used t开发者_如何学Pythonhis to protect static files and a cgi exe, so I assume it will also protect .asp files too”.

I’m still confused as to where the STS comes into this solution? How does IIS 7 know where the STS is?

The issue here is that as you are using ASP, IIS doesn't run in pipeline mode. Therefore, it won't execute the HTTPModules required by ADFS. (Or any .NET httpmodules...)

In your case, I have two idea (both aren't pleasant, I am afraid)

1. You could implement the WIF protocol in ASP. It's documented. Well, you certainly could do it, but beware of errors in your implementation, which could damage the security of your application. The bright side is that you will be able to leverage all the WIF goodies in your apps.
2. You could attempt to host CGI/ ASP in an IIS HttpModule, in pipeline mode. Perfs would probably decrease, and you would need to send to CGI all the required request infos (and server parameters). It was the idea of this guy. I don't know if he succeded.

The first proposition is probably the good one. Hem. Good luck, WIF isn't a trivial piece of code. (Even if understanding the protocol is not very difficult. As always, hell lies in the details)