Since all Zermatt samples use Windows authentication to auth against an STS – the question how to use forms authentication instead popped up several times. It is easy to do that.
Basically a passive STS endpoint is an ASP.NET handler – could be a plain IHttpHandler, an .ashx or a page. All samples simply hook the Page_PreRender event to render the redirect logic. But you could also show a UI before doing that. This means you can put e.g. a login control on your issuing page and manually verify username/password credentials before issuing the token.
My sample issuing page looks like this:
<title>Forms Authentication Sign In</title>
<form id=”form1″ runat=”server”>
<asp:Login runat=”server” ID=”_login” OnAuthenticate=”_login_Authenticate” />
In the Authenticate event you verify credentials somehow, and if successful, create a ClaimsIdentity and issue the token. In my sample I additionally issue a forms auth ticket for the STS domain so that returning users don’t have to re-authenticate using the form.
Another approach to make the federation token apply to more than one RP is to modify the cookie domain (if the RPs are in the same domain).
protected void _login_Authenticate(object sender, AuthenticateEventArgs e)
if (ValidateUser(_login.UserName, _login.Password))
ClaimsIdentity identity = new ClaimsIdentity(
new Claim(System.IdentityModel.Claims.ClaimTypes.Name, _login.UserName),
ClaimsPrincipal principal = new ClaimsPrincipal(