Programming with Windows Identity Foundation How it works... The core idea behind making an ASP.NET MVC 3 Web Application to extend itself and behave as an STS is to create a Model Binding that allows the Controller method to process WS-Federation Passive Requestor Profile messages and create SignInResponseMessage ( Microsoft.IdentityModel.Protocols.Federation ). This is achieved by creating the WSFederationMessageModelBinder class inherited from IModelBinder . The BindModel method creates the WSFederationMessage object using the WSFederationMessage.CreateFromUri method. The Authorize attribute in the Controller method checks for the incoming claims principal and allows access to the view based on the role specified in the attribute. There's more... The Authorize attribute can be inherited to provide a custom implementation for explicit validation of incoming claims using the custom rules. FederatedPassiveSignIn Control for ASPX View Engine If you are using ASPX as the View Engine, the WIF SDK provides the FederatedPassiveSignIn control, which can be used for the federated sign-in and sign-out requests. More information on this can be found at http://msdn.microsoft.com/en-us/library/ee517286.aspx . See also