The problem with the Microsoft tools - nordvall/WifExamples GitHub Wiki

There are official tools and Visual Studio plugins from Microsoft to assist with the configuration:

  • For .NET 3.5 and 4.0 there is a tool called FedUtil.exe. The tool is included with the "Windows Identity Foundation SDK".
  • For .NET 4.5 there is a tool called "Identity and Access tool". The tool is available through "Extensions and updates" in Visual Studio 2012.

Both tools work the same way. You run it in the context of an existing Visual Studio project, and it performs the following changes:

  • It provides a simple security token service, used to issue tokens in your development environment.
    • The problem with this is that the security token service is set up in a random HTTP port. When you move your application to production, the ADFS servers will use HTTPS ports. That will in some cases require you to change your configuration more than you might think.
  • It alters your web.config/app.config and connects your application to the security token service mentioned above.
    • There are muliple problems with this:
      • It makes decisions about your application that might not be correct, for example configure your WCF services with HTTP bindings instead of HTTPS
      • It comments out configuration that is already there and is correct.
  • It creates a file called FederationMetadata.xml in your Visual Studio Project and signs it with a certificate. This is a file used for auto configuration of trust relationsships, and includes your URL:s and certificates.
    • The problem with this is that it creates a static file based on your development configuration. When you move to production the URL:s and certificates will not be the same. And because it is signed with a certificate it becomes invalid if you modify it.

So my conclusion is that the tool often does more harm than good. It might set your development environment quickly, but you have a difficult time moving your application to production later.