ASP.NET MVC 2 and authentication using WIF (Windows Identity Foundation)

Question

Are there any decent examples of the following available:

Looking through the WIF SDK, there are examples of using WIF in conjunction with ASP.NET u

Answer 1

An example of WIF + MVC is available in this chapter of the "Claims Identity Guide":

http://msdn.microsoft.com/en-us/library/ff359105.aspx

I do suggest reading the first couple chapters to understand all underlying principles. This blog post covers the specifics of MVC + WIF:

http://blogs.msdn.com/b/eugeniop/archive/2010/04/03/wif-and-mvc-how-it-works.aspx

Controlling the login experience is perfectly fine. You should just deploy your own STS (in your domain, with your look & feel, etc). Your apps would simply rely on it for AuthN (that's why a app is usually called a "relying party").

The advantage of the architecture is that authN is delegated to 1 component (the STS) and not spread out throughout many apps. But the other (huge) advantage is that you can enable more sophisticated scenarios very easily. For example you can now federate with other organization's identity providers.

Hope it helps Eugenio

@RisingStar:

The token (containing the claims) can be optionally encrypted (otherwise they will be in clear text). That's why SSL is always recommended for interactions between the browser and the STS.

Notice that even though they are in clear text, tampering is not possible because the token is digitally signed.