One of the benefits of federated security is the delegation and normalization of authentication to an external source.
As a service developer, I only care about the claims available to me. I do not need to concern myself with how the user was authenicted. Only the claims and the ability to verify the claims.
As as STS developer, I must care about how users authenticate themselves. The STS is responsible for receiving authentication creds, validating them and returning a normalized set of claims about the authenticated caller.
The STS can support any number of authentication methods, username password, self-issued cards, certficiates, etc. Each authentication method has its own endpoint on the STS ( including mex):
each endpoint has an authorization poicies and validators to ensure the provided creds are valid.
Here's my question.
I want to secure a service using a wsFederationHttpBinding. When defining the configuration for the service, What should I be setting the as address the address of the issuer? Each endpoint on the STS Issue operation is tied to
a specific crediential type (u/p, certificate, self-issued, etc), but the service should have no knowledge of the cred types supported by the sts.
if my service configuration looks like this:
<certificateReference storeLocation ="CurrentUser"
then I've "hard coded" the sts reference to the endpoint that supports only username and password. What do I do if the caller has a different set of creds?
After all my services are up and running, if I decide I want to support biometric tokens as cred type on the STS, I need to create a new endpoint on my STS (myserver.com/auth/biometric/sts), but shouldn't need to change the business
services at all.