Secure Token Service (STS)

The core component of DigitalPersona STS is Thinktecture's IdentityServer3 version 1.6.1 - an open source framework implementing the OpenID Connect/OAuth2 specification as described in https://github.com/IdentityServer/IdentityServer3.

Web applications that use OpenID Connect authentication are natively supported. There were localized changes made to the original code in order to accommodate for credentials other than password and enforce DigitalPersona authentication policies.

The framework allows supporting other protocols via protocol plug-ins. For example, Thinktecture provides an implementation of the WS-Federation protocol. See https://github.com/identityserver/IdentityServer3.WsFederation for further details.

A similar plug-in supporting the SAML2P protocol is currently under development.

IdentityServer3 supports the delegation of authentication to external identity providers, such as Google, Facebook, Twitter, ADFS and the Windows Integrated Authentication Service.

When configured, the links to external providers are displayed on the login page.

The IdentityServer3 framework provides default implementations for all its functional components and allows developers to replace some of them using the dependency injection technique. The components of particular interest are the User Service, View Service and the relying party (client) store.

User Service

The purpose of the User Service is to verify user credentials and, upon successful authentication, to return the requested set of claims. The User Service may instruct IdentityServer3 to redirect to another page, for example an HRD (home realm discovery) page.

In our implementation, the User Service requests the authentication policy for the user from the DigitalPersona policy web-service and verifies their credentials using the DigitalPersona authentication web-service. Claim values are obtained from AD or LDS using the DigitalPersona claims web-service.

If necessary, the User Service redirects the user to the next requested credential on the login page - until the policy is satisfied. The User Service also handles identities received from external providers and has the ability to transform claims or request additional authentication.

View Service

The View Service is responsible for displaying the login, logout, and other pages. All the pages are customized to provide the HID DigitalPersona branding/look and feel. The center piece of the login page is the pluggable tab control, where each tab is used to collect the corresponding credential (password, fingerprint, one-time password, etc.). After the user provides their credentials, they get verified via the User Service.

Every WS-Federation relying party (as well as every OpenID Connect client) must be pre-registered in DigitalPersona STS. Currently, the list is stored in the web.config file, and the built-in in-memory store is initialized from the list.