This project has moved. For the latest updates, please go here.

WS-Federation using Identity Server

Jul 15, 2014 at 5:18 PM
I originally asked this question here but haven't had a response yet so I thought I might get a better response here.

I am trying to connect to an instance of Identity Server V2 that I have deployed in Azure. Below is the how I have configured the Startup file:
    public partial class Startup
        public void ConfigureAuth(IAppBuilder app)
            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
                MetadataAddress = ""
                ,Wtrealm = ""
                ,AuthenticationMode = AuthenticationMode.Passive
                ,BackchannelCertificateValidator = new FakeCertificateValidator()


    public class FakeCertificateValidator : ICertificateValidator
        public bool Validate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
            return true;
I additionally have a controller action decorated with AuthorizeAttribute and when I try to access any action on that controller, I receive a 401 where I expect to be redirected to the STS.

Is this correct?
Jul 15, 2014 at 5:28 PM
Remove this: AuthenticationMode = AuthenticationMode.Passive. In passive mode the middleware need to be invoked by name. In active mode the middleware will kick in for any 401 response.
Marked as answer by dvancuyk on 7/15/2014 at 11:07 AM
Jul 15, 2014 at 5:42 PM
Thank you very much! I misunderstood the AuthenticationMode property then. I had assumed it would correspond to the differences in Active and Passive Federation within WIF.

To further clarify then, if I have the credentials and want to provide these credentials to the external STS, I would then use
AuthenticationMode = AuthenticationMode.Passive
Jul 15, 2014 at 5:50 PM
That's still unrelated. I'm not aware of any way for you to pass credentials directly to the STS.

What passive does is it allows you to have several different auth middleware in your pipeline, but rather than just sending back a 401 you need to select one of them by name. See IOwinContext.AuthenticationManager.Challenge(WsFederationAuthenticationDefaults.AuthenticationType);