This documentation is archived and is not being maintained.

WIF Client

Windows Identity Foundation
[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Windows® Identity Foundation (WIF) offers functionalities to help you build claims-aware clients. The following diagram shows how a client interacts with a relying party and STS:

  1. A client request arrives at the RP application. This request requires the RP application to access an external resource. To do this, the RP application must impersonate the user.

  2. The RP application redirects the client to the IP-STS for authentication.

  3. The IP-STS authenticates the user and issues a SAML token that contains a UPN claim (that is, a claim of type

  4. The client submits the SAML token to the RP application.

  5. The RP application validates the SAML token and extracts the UPN claim.

  6. The RP application passes the UPN claim to the UpnLogon method as a parameter and gets back a Windows security token. This method call is automatically done by the Saml 1.1 and Saml 2 SecurityTokenHandlers when the mapToWindows property on the SamlSecurityTokenRequirement on these SecurityTokenHandlers is set to true and the value of useWindowsTokenService on the <windowsClaimsIdentity> element in the <microsoft.IdentityModel> is set to true.

  7. The RP application uses the Windows Identity to impersonate the user and accesses the resource.

This section contains topics that discuss the WIF client.

  1. WSTrustChannelFactory and WSTrustChannel

  2. Built-in Bindings Overview