Share via

What is an IP-STS and what is a RP-STS?

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

There are two kinds of STS: an Identity Provider STS (IP-STS) and a Relying Party STS(RP-STS).

  • An IP-STS authenticates a client using, for example, Windows integrated authentication. It creates a SAML token based on the claims provided by the client, and might add its own claims. A Relying Party application (RP) receives the SAML token and uses the claims inside to decide whether to grant the client access to the requested resource.

  • An RP-STS does not authenticate the client, but relies on a SAML token provided by an IP-STS that is trusts. Typically, an IP-STS is found in the client’s domain, whereas an RP-STS is found in the RP’s domain. This is shown the following diagram.