Multiple Security Token Services in Windows Identity Framework

I have an asp.net mvc 3 web app that needs to support SSO from multiple STSs based on the subdomain the user requests.

So requests for https://weylandyutani.mydomain.com should trust the Weyland-Yutani STS and https://tyrell.mycomain.com should trust the Tyrell STS.

Most WIF resources talk about enabling STSes in the application's w开发者_C百科eb config. Is there an accepted way to do this dynamically without reinventing the wheel?

In scenarios like this, you would typically use an intermediate STS (referred to an "RP-STS" or "Federation Provider" that will handle all trust relationships for you. That is: your app trusts the RP-STS, then the RP-STS would trust Weyland-Yutani, Tyrell, etc.

Adding an RP-STS simplifies things quite a bit, especially if each of the identity STSs send you claims that are all different from what you require in your app. For example: Tyrell might send you "name", "lastname" and "e-mail". Weyland might send "Username", "e-mail". The RP-STS would normalize the claims set to whatever your app needs.

The way you hint the RP-STS where to redirect the user is through the whr parameter (which stands for "Home Realm"). Your app would look at the request URL and then append the whr parameter before redirecting to the RP-STS.

All the above is extensively documented in the "Federation with Multiple Partners" chapter of this book.

If you don't want to build/acquire and deploy your own RP-STS (depending on the deployment model of your app, you could use ADFS v2.0 for example), you could use Access Control Service from Windows Azure.

This other chapter explains how it would work.