How to: Build an ASP.NET STS

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

A passive STS is an STS that implements security token issuance using the WS-Federation passive protocol. In WIF, a passive STS is usually built as an ASP.NET Web site and is hosted in IIS. WIF provides the ASP.NET Security Token Service Web Site template to help you build a simple STS that can be used for evaluation. To build a production STS, you would need to consider the necessary scalability and security considerations per your business needs. Do not use the simple STS as-is in your production environment. For more information, see ASP.NET Security Token Service Web Site.


The WIF STS instancing model is per-call. This means that an STS instance is intended only for a single use: that is, you create a new instance of an STS, make the necessary method calls (such as Issue), and then clear that STS instance. If you try to use the same STS instance to call Issue across multiple token requests, rather than creating a new STS instance for each token request, the behavior is undefined.