How to: Build a WCF STS

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

An active STS is an STS that implements the WS-Trust protocol. In WIF, an active STS is built using WCF-based concepts, and can be either self-hosted or hosted in IIS. WIF provides the WCF Security Token Service template to help you build a simple STS that can be used for evaluation. To build a production STS, you would need to consider the necessary scalability and security considerations per your business needs. Do not use the simple STS as-is in your production environment. For more information, see WCF Security Token Service.


The WIF STS instancing model is per-call. This means that an STS instance is intended only for a single use: that is, you create a new instance of an STS, make the necessary method calls (such as Issue), and then clear that STS instance. If you try to use the same STS instance to call Issue across multiple token requests, rather than creating a new STS instance for each token request, the behavior is undefined.