How to get SSO and anonymous users with WIF and passive authentication?

Question

I've got a web application that needs to implement SSO with WIF. There is a STS already set up for authentication, and I can use it to log on just fine.

However the application also needs to accommodate anonymous users. So when a user first arrives at the website, I need to somehow check with the STS if he is already logged on or not. If he is, the STS would return his token (simple), but if he isn't, he should be simply returned to the website without any further authentication, so he can continue browsing anonymousley (how do I do this?). If he later wants to authenticate, he clicks the login button and we do the typical WIF authentication dance, which I have already in place.

So... how do I tell an STS to do nothing if a user isn't authenticated?

Answer 1

There's nothing special really with WIF. You just define in your app what requires auth and what doesn't.

In MVC you would use the [Authorize] attribute on controllers. In ASP.NET you can use this: http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx

Answer 2

You shouldn't mix authentications on your web site (relaying party).

All authentication related issues should be handled by the STS. To achieve your goal you should allow anonymous users on your STS and return token to your web site (RP) with claims indicating user as "Anonymous" (or whatever You want to call him).

So basicly you have to "authenticate" user as unauthenticated :D.

This way you do not decide your GUI looks and availability based on whether user is authenticated or not but whether he has specific role or not (obviously user "Anonymous" wouldn't have any roles). This seems to me like a better approach.

Hope this helps.