Announcing Thinktecture EmbeddedSts — a simple, local STS for ASP.NET applications
With Visual Studio 2013, Microsoft has provided a new “Change Authentication” wizard that is part of all ASP.NET projects. This includes an option for “Organizational Accounts”, which in essence means federation using the WS-Federation protocol. This wizard replaces the previous “Identity and Access Control” Visual Studio extension.
The unfortunate part of this is that the “Identity and Access Control” tool used to contain a test STS. This test STS ran locally and thus a full STS did not need to be installed and configured. It even had the ability to configure in a file the users and claims to issue, which was quite convenient for testing and checking into source control.
At Thinktecture we were saddened by the loss of such a useful tool, so we decided to open source a similar tool that we had built for one of our clients (with permission from and many thanks to that client).
From the docs:
EmbeddedSts is intended to be used from an ASP.NET application that is using .NET 4.5 and the Federated Authentication Module (FAM) from WIF. It allows for a simple and easy to use STS instead of a production STS that might require installation and configuration. It does this by embedding itself a proper WS-Federation security token service within the application itself. When the ASP.NET application would normally redirect to the production STS, it will instead redirect to the EmbeddedSts. The EmbeddedSts will provide a list of users that can login and will then issue a SAML token back to the application that contains the selcted user’s claims. This list of users and their associated claims is configurable in a JSON file (which can also be checked into your project, which is useful for testing).
It’s available on NuGet. The code is available on github. The docs are here.
Enjoy.
brockallen 
Reblogged this on http://www.leastprivilege.com.
Thank you Brock and the rest of Thinktecture!
This sounds great, but not really flexible enough for me. I use an IISExpress hosted ASP.Net application for this purpose. It allows me to specify the user details and claims which are then echoed back to the RP. The advantage of this is that every test execution can use a new dynamic identity specifically for that test in order to avoid dirty data.
So you’re looking for a specific URL that can be sent into the test STS to issue a new token for a specific user (perhaps indicated in the URL/query string)? I’d love to hear more suggestions/ideas — please open an issue on github!
https://github.com/thinktecture/Thinktecture.IdentityModel/issues
Actually I use UI automation to fill out a web form on the STS. When that is submitted the claim is returned to the RP. It was originally created from the first WIF support in VS and then modified for my requirements.
For example:
aspx – http://pastebin.com/mT9v6MKb
aspx.cs – http://pastebin.com/ALqnJBi8
Could the local STS be taken to production. Our STS is not ready, so once óriginal’ STS is ready then we want to just point to the new STS with out any change to code. This is for an intranet application (Active Directory users only)
No, the embedded sts is only intended for testing. There’s no real authentication behind it.
Will there be an OwinEmbeddedSTS? ;)
Actually thinking more about that.. I think I’d like an embedded STS for fall back/local admin login in my app. hmm.
No Ws-Fed support yet in Katana, so not until that’s done (unless you’d want a dependency on System.Web).
I like the idea of a embedded STS for fallback scenarios (e.g. embedded admin logins or when the real STS is down).
Will there be support for JWT Token in future releases ?
Why?
Hi, is it possible to use this from a client? I.e. EmbeddedSTS is hosted in a MVC website but the authentication request originates from a OWIN self-hosted Web API client? Right now, when accessing a client action protected with the [Authorize] attribute I do get redirected to the STS website but just receive the default MVC view and not the login page (the url looks ok as “http://localhost:64626/?wtrealm=http%3a%2f%2flocalhost%3a12345&wctx=WsFedOwinState+biglongstring&wa=wsignin1.0”. Hope that makes sense!
Hello – have you ever seen a bug with the EmbeddedSts where it generates a crazy long URL, resulting in a “URL Too Long” error from IIS? I seem to get this error sometimes from the EmbeddedSts, other times it works fine. A little puzzling. The URL has a ton of 25s in it.
Sounds like you’re denying anonymous access to the login URL.
Just want to say thanks for replying. We’ve got an ADFS app and our devs are on VS 2013, so it was really essential to get a lightweight dev STS that could be pulled down with source control. Anonymous access was the last hurdle in getting it working. And thanks for building this thing! You’re making me look like a genius today!
How did you fix this? I am stuck in a redirect loop to /_sts unitl i also get a too long request. I added access to everything for * (incl anon users) but still get the redirect loop. Any ideas?
Open an issue on the github issue tracker.
I appreciate first your efforts to help community to fill the gap.
On using SAML 2.0 based SSO, can you please clarify some of my questions [if it is ok with you].
1. How do I Decrypt -encrypted SAML 2.0 data posted to me to retrieve claim details.
I am looking for concrete details on one-time-setup workflow and repeated auth-workflow
2. If I am using ASP.NET MVC/Web API 5.0 with VS 2013, .NET 4.5, what will be the authenticatino provider that I should be using to test SSO based on ADFS/SAML
3. I have a sample end to end working locally with older “Identity Access Tool” in VS 2012/.NET 4.0. But now looking for moving to .NET 4.5/ MVC 5.0. I am looking for alldetails in this context [I am not sure if provider used in MVC 4.0 for above sample is going to be same for 4.5/MSVC50 too.
4.I am thinking that once user is authenticated through SSO/SAML, I can create additional Forms Auth token – for all future purposes of determing requests are authenticated. I am not convinced of security issues with this approach and not clear how frequentlyI have to keep checking back with STS to renew my token etc.
5. As a developer can I just install ADFS 2.0 and try STS in TEST environment -setup suggess using some domain controller etc. How big of a deal it is?
I have done SSO using combination of Forms/Windows authenticatino in similar way. But I am attempting to use SSO for first time and I am sure your responses and time is very well appreciated for many people in same boat.
.NET doesn’t support SAML2p if that’s what you mean. If you want SSO then it’s up to you to pick your identity provider based upon your application’s and environment’s requirements. If you’re doing greenfield development then consider OIDC as the protocol. And yes, once you’ve done external authentication you then have control of how you log the user into your local application. As for the setup of ADSF, it’s involved, and that’s why we have this embedded STS. But if you do start to look at OIDC (instead of WS-Fed) then IdentityServer v3 will be a better tool for this job.
Hi, I tried this Embedded STS in an ASPNET MVC4 web application and it works great with the ASPNET routing. However When I created a folder inside the application and tried to access the files, I was able to access them without anu protection from the authentication mechanism. Could you provide some thoughts here?
You need authorization on the subfolder.
In the sample, I see that the STS opens a view that lets you pick a user. Is there a way to simulate a Windows authentication like the LocalSTS so that it would return token for a user (first in the list for example) without having to choose it ?
Hello, we use EmbeddedSTS for our existing ASP.NET MVC application and are in the process of migrating over to ASP.NET 5. Can it be used for an ASP.NET 5 MVC6 application – if so do you have some sample implementation code/configuration
You’d want to host IdentityServer4 as a replacement.