In a comment on a previous blog post Travis Spencer asked

Can you explain more about how you implemented an STS that supports both active and passive scenarios?

So here’s how –

To start with – I’ve implemented my STS class with all the logic I needed; this was done as a class library with several classes – my STS implementation, my STS-Configuration class, an STS service factory, my custom WindowsUserNameSecurityTokenHandler implementation and all the classes I needed to support my custom configuration section.

Then, in order to support an active scenario, I’ve created a WCF service and, through the SVC file, I’ve configured it to use my STS service factory class –

<%@ ServiceHost Language=”C#” Debug=”true” Service=”<My STS configuration class>” factory=”<My STS Factory class>”%>

I’ve then configured the web.config of the wcf service to support my scenario – that included all the relevant binding configuration I needed, the Geneva framework related configuration (microsoft.IdentityModel) as well as any custom configuration my STS uses.

The passive scenario can seem a little bit more confusing –

Obviously I’ve started by creating an asp.net web application; this application basically has two web pages (admittedly I’m simplifying things a little bit for clarity) – default.aspx and login.aspx

Using standard asp.net forms authentication the web site is configured to redirect all unauthenticated users to the Login.aspx page, which in turns has a pretty standard login implementation using my custom username validator logic and the framework’s RedirectFromLoginPage function to set the local forms authentication cookie.

All my web-based reliant parties redirect the user to the default.aspx page; forms-auth then redirects again to login.aspx for authentication and then, once authenticated, the user is redirected back to default.aspx; on this page I’ve simply put the FederatedPassiveTokenService control provided with the geneva framework configured to use my STS configuration class as the service; this takes care of calling the STS and posting the token back to the RP

I hope that makes sensedo let me know if it does not!