Search code examples
wcfsecuritysingle-sign-onwifws-federation

Federated security, Single Sign On and security token sharing

In Single Sign On (SSO) scenario if all applications are running in same domain/company,

  1. Is the same Security Token shared among all applications (relying parties) which get users authenticated from the same common identity provider / Security Token Service? What is the default behavior of any STS? E.g. User A logs on to application X. After some time, she tries to access the application Y. Since she is already authenticated by the same STS and if the token issued to her is still not expired, she won't have to provide credentials while accessing application Y.
  2. My understanding is that it may be possible if the token contains ALL the claims which would be required by all relying parties / applications. But is it a good practice?
  3. Can token's (which was issued when user logged on to application X) expiry time be extended/reset when user A connects to application Y?
Solution

  • WIF implies ADFS usually,

    1. Yes as long as all RP are using the same STS.

    2. No - in ADFS, each RP has its own claims configuration. So the token produced is different (although you could simply copy the configuration if you wanted).

    3. In WIF, yes. You need to use the "sliding token" mechanism.