Multifactor authentication in active STS (Windows, UserPassword, Custom) RRS feed

  • Question

  • Hello,

    We are developing the active STS with multifactor authentication support. It must support three scenarios of clients authentication in STS to issue security token:

    1. by using windows credentials
    2. by username and password
    3. by custom credentials (some key stored on hardware Token)

    We've made self-hosted STS with two endpoints based on WS2007HttpBinding (for scenario 1 and 2):

    1. binding with ClientCredentialType = MessageCredentialType.Windows
    2. binding with ClientCredentialType = MessageCredentialType.UserName

    In this case we have two behaviors:

    1. When client uses windows credentials the STS validates credential without assistance and generates WindowsClaimsIdentity.
    2. When client uses user\password credentials the STS validates credentials using custom UserNameSecurityTokenHandler (we wrote that to validation u\p)

    On the client side we are using WSTrustChannelFactory to issue SAML security token.

    Both scenarios work fine.

    But we dont know exactly how to implement third scenario with authentication client in STS with a custom credentials (see above). We suppose that third endpoint should be added to STS. We have no ideas how to configure STS binding (ClientCredentialType) to support custom credentials.

    So we have following questions:

    • Is it correct approach to implement our scenarios? 
    • How to pass cutsom credentials to STS
    • How to validate custom client credentials on STS

    Any ideas?

    Wednesday, July 16, 2014 12:50 PM