Windows Identity Foundation does not officially support SAML 2.0; use WIF CTP or stick with SAML 1.1?

Question

We would like to use SAML 2.0 for a Single Sign On solution. As a typical Microsoft shop, we prefer to use Microsoft components as much as possible. Windows Identity Foundation

Answer 1

Take a look at Identity Server which is a STS that does use SQL Server for authentication. You can easily federate this with ADFS.

From what I remember about reading the licence agreement for the CTP release, it's just out there for comment - you can't use it e.g. in a Production environment.

As per @Eugenio, WIF only supports WS-Federation.

How were you intending to "stick with SAML 1.1"?

Update: What I suggest is that you use Identity Server to do the authentication against the DB. Your WIF applications are bound using FedUtil to Identity Server. You then federate Identity Server with ADFS. Your external parties use SAML to talk to ADFS and ADFS will handle the plumbing to enable them to authenticate with the Identity Server DB.

Note that WIF doesn't support SAML at all.

Answer 2

You should clarify whether you're talking about SAML 2.0 protocol (e.g SAMLP) or just the token type. WIF RTM supports SAML 2.0 tokens, but not SAMLP.

So if it's just SAML 2.0 token support you need, WIF RTM is sufficient, though WIF extensions CTP does add some SAMLP support.

If you're looking for a SAMLP solution and you're a Microsoft shop then you should consider ADFS 2.0.

ADFS 2.0 would do "protocol transition": it will talk SAMLP with the Identity Provider and WS-Federation with your app (both use SAML "Tokens"). WIF supports WS-Federation.