First, let's distinguish between a protocol and a token format. I assume that you are talking about a protocol, not a token format. But just in case, there are differences:
- The format of the SAML 2 token is simply the token format that your application will eliminate. It is supported by WIF out of the box.
- SAML 2 protocol. These are HTTP interactions that your application will need to understand in order to receive a token in the application. This is not supported by WIF, but there is an extension that you can download ( http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088 )
On the other hand, you have a scenario in which there are several identity providers. The book suggested by Wiktor (which I co-authored) explains this scenario in more detail in the chapter Federated Identity with Multiple Partners . I recommend that you read it to get the concepts behind federation of identity. Let me give you a short version of the article and some implementation details. There are two ways to resolve this issue:
Implementing it at the application level. WIF allows you to trust more than one identity provider identifier (this is done with X509 certificates). Then you will have to generate login requests for each identity provider depending on the URL (for example, https://idp1.yourapp.com or https://yourapp.com/idp1 ) or the user choosing (having a home page with two links, one for each identity card). You will also have to normalize the claims coming from this identity provider (perhaps one of them will send you the application βnameβ and the other βupnβ).
YourApp --> Identity Provider 1 \-> Identity Provider 2
Using the so-called "federation provider". This is another server that will issue tokens to your application, and it will have a trust relationship with your identity provider. Instead of having your application trust two identity providers, you trust only your federation provider, and the provider will trust the identity providers. This is a chain of trust.
YourApp --> Federation Provider --> Identity Provider 1 \-> Identity Provider 2
This architecture allows you to:
- grow identity providers without touching your application.
- If you have a second application, you simply copy your implementation of the first.
- you get single sign-on for free
- you get a complaint conversion mechanism (if you use something like ADFS)
- If you use something like ADFS, you get the built-in SAML 2 protocol (instead of executing it manually using the extension below).
Of course, the disadvantage is that now you have something else to service (ADFS server).