I am looking at setting up "Geneva" Server in an environment where we have internal website users that are in Active Directory and external users who are not. For the external users we would like to present a custom login/registration page and to authenticate users against an external users database.

What I've read so far seems to indicate that the "Geneva" Server passive authentication approach only works against Active Directory. I can't see a way to configure it to use any other store of users (other than for providing additional claims once a user has been authenticated).

At the moment, the only solution I can think of is to write a custom STS for authenticating the external users and thensetting this up as anidentity provider in "Geneva" Server. This doesn't seem ideal. Is there another approach - ideally where I could write a custom login page and have the "Geneva" Server FederationPassive site use this but still issue a token from "Geneva" Server?

You're correct - the easiest way to do this is via a custom STS that you then configure as an identity provider for your main AD FS server.

To make the experience more fluid to your users, you can cusotmize the web pages to provide the option to log in for external users. This web page could submit the request to your custom STS, receive a token, and then call the SignIn method on the FaultHandlingWSFederationPassiveAuthentication.

Does this answer your question?

You can hava a look at Starter STS - this should get you started quite quickly.

http://startersts.codeplex.com

---

Dominick Baier | thinktecture | http://www.leastprivilege.com