Skip to content

Announcing Thinktecture EmbeddedSts — a simple, local STS for ASP.NET applications

October 22, 2013

With Visual Studio 2013, Microsoft has provided a new “Change Authentication” wizard that is part of all ASP.NET projects. This includes an option for “Organizational Accounts”, which in essence means federation using the WS-Federation protocol. This wizard replaces the previous “Identity and Access Control” Visual Studio extension.

The unfortunate part of this is that the “Identity and Access Control” tool used to contain a test STS. This test STS ran locally and thus a full STS did not need to be installed and configured. It even had the ability to configure in a file the users and claims to issue, which was quite convenient for testing and checking into source control.

At Thinktecture we were saddened by the loss of such a useful tool, so we decided to open source a similar tool that we had built for one of our clients (with permission from and many thanks to that client).

From the docs:

EmbeddedSts is intended to be used from an ASP.NET application that is using .NET 4.5 and the Federated Authentication Module (FAM) from WIF. It allows for a simple and easy to use STS instead of a production STS that might require installation and configuration. It does this by embedding itself a proper WS-Federation security token service within the application itself. When the ASP.NET application would normally redirect to the production STS, it will instead redirect to the EmbeddedSts. The EmbeddedSts will provide a list of users that can login and will then issue a SAML token back to the application that contains the selcted user’s claims. This list of users and their associated claims is configurable in a JSON file (which can also be checked into your project, which is useful for testing).

It’s available on NuGet. The code is available on github. The docs are here.


25 Comments leave one →
  1. October 22, 2013 9:55 am

    Reblogged this on

  2. October 22, 2013 1:45 pm

    Thank you Brock and the rest of Thinktecture!

  3. October 22, 2013 6:16 pm

    This sounds great, but not really flexible enough for me. I use an IISExpress hosted ASP.Net application for this purpose. It allows me to specify the user details and claims which are then echoed back to the RP. The advantage of this is that every test execution can use a new dynamic identity specifically for that test in order to avoid dirty data.

  4. December 11, 2013 4:21 pm

    Could the local STS be taken to production. Our STS is not ready, so once √≥riginal’ STS is ready then we want to just point to the new STS with out any change to code. This is for an intranet application (Active Directory users only)

    • December 11, 2013 7:38 pm

      No, the embedded sts is only intended for testing. There’s no real authentication behind it.

  5. January 4, 2014 4:13 am

    Will there be an OwinEmbeddedSTS? ;)

    Actually thinking more about that.. I think I’d like an embedded STS for fall back/local admin login in my app. hmm.

    • January 4, 2014 10:55 am

      No Ws-Fed support yet in Katana, so not until that’s done (unless you’d want a dependency on System.Web).

      I like the idea of a embedded STS for fallback scenarios (e.g. embedded admin logins or when the real STS is down).

  6. Raj permalink
    January 31, 2014 7:11 am

    Will there be support for JWT Token in future releases ?

  7. Richard permalink
    March 11, 2014 9:44 pm

    Hi, is it possible to use this from a client? I.e. EmbeddedSTS is hosted in a MVC website but the authentication request originates from a OWIN self-hosted Web API client? Right now, when accessing a client action protected with the [Authorize] attribute I do get redirected to the STS website but just receive the default MVC view and not the login page (the url looks ok as “http://localhost:64626/?wtrealm=http%3a%2f%2flocalhost%3a12345&wctx=WsFedOwinState+biglongstring&wa=wsignin1.0”. Hope that makes sense!

  8. May 6, 2014 4:24 pm

    Hello – have you ever seen a bug with the EmbeddedSts where it generates a crazy long URL, resulting in a “URL Too Long” error from IIS? I seem to get this error sometimes from the EmbeddedSts, other times it works fine. A little puzzling. The URL has a ton of 25s in it.

    • May 8, 2014 10:27 am

      Sounds like you’re denying anonymous access to the login URL.

      • May 9, 2014 10:42 am

        Just want to say thanks for replying. We’ve got an ADFS app and our devs are on VS 2013, so it was really essential to get a lightweight dev STS that could be pulled down with source control. Anonymous access was the last hurdle in getting it working. And thanks for building this thing! You’re making me look like a genius today!

      • Stefan S permalink
        May 18, 2015 1:18 pm

        How did you fix this? I am stuck in a redirect loop to /_sts unitl i also get a too long request. I added access to everything for * (incl anon users) but still get the redirect loop. Any ideas?

  9. BsRJ permalink
    June 5, 2014 7:09 am

    I appreciate first your efforts to help community to fill the gap.
    On using SAML 2.0 based SSO, can you please clarify some of my questions [if it is ok with you].
    1. How do I Decrypt -encrypted SAML 2.0 data posted to me to retrieve claim details.
    I am looking for concrete details on one-time-setup workflow and repeated auth-workflow

    2. If I am using ASP.NET MVC/Web API 5.0 with VS 2013, .NET 4.5, what will be the authenticatino provider that I should be using to test SSO based on ADFS/SAML

    3. I have a sample end to end working locally with older “Identity Access Tool” in VS 2012/.NET 4.0. But now looking for moving to .NET 4.5/ MVC 5.0. I am looking for alldetails in this context [I am not sure if provider used in MVC 4.0 for above sample is going to be same for 4.5/MSVC50 too.

    4.I am thinking that once user is authenticated through SSO/SAML, I can create additional Forms Auth token – for all future purposes of determing requests are authenticated. I am not convinced of security issues with this approach and not clear how frequentlyI have to keep checking back with STS to renew my token etc.

    5. As a developer can I just install ADFS 2.0 and try STS in TEST environment -setup suggess using some domain controller etc. How big of a deal it is?

    I have done SSO using combination of Forms/Windows authenticatino in similar way. But I am attempting to use SSO for first time and I am sure your responses and time is very well appreciated for many people in same boat.

    • June 8, 2014 9:03 am

      .NET doesn’t support SAML2p if that’s what you mean. If you want SSO then it’s up to you to pick your identity provider based upon your application’s and environment’s requirements. If you’re doing greenfield development then consider OIDC as the protocol. And yes, once you’ve done external authentication you then have control of how you log the user into your local application. As for the setup of ADSF, it’s involved, and that’s why we have this embedded STS. But if you do start to look at OIDC (instead of WS-Fed) then IdentityServer v3 will be a better tool for this job.

  10. June 16, 2014 1:15 pm

    Hi, I tried this Embedded STS in an ASPNET MVC4 web application and it works great with the ASPNET routing. However When I created a folder inside the application and tried to access the files, I was able to access them without anu protection from the authentication mechanism. Could you provide some thoughts here?

  11. cotepatrice permalink
    April 13, 2015 10:41 am

    In the sample, I see that the STS opens a view that lets you pick a user. Is there a way to simulate a Windows authentication like the LocalSTS so that it would return token for a user (first in the list for example) without having to choose it ?

  12. Terry permalink
    April 11, 2016 5:33 am

    Hello, we use EmbeddedSTS for our existing ASP.NET MVC application and are in the process of migrating over to ASP.NET 5. Can it be used for an ASP.NET 5 MVC6 application – if so do you have some sample implementation code/configuration


  1. Introduction to Windows Azure Active Directory - Bruno Terkaly - Developer Evangelist - - Site Home - MSDN Blogs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: