… is the title of a great post by Vibro that can be found here. This is an important subject and in all project where I have used claims and STS I also wanted the claims on the client. When cracking my own STS (before WIF) I always used the display token to get them from the identity provider (IP, aka the STS) so that seems to be in the line with Vibros thoughts.

Just recently I tried to create a Silverlight application that was supposed to be an active client for a STS (as in the example of the WIF labs), but it failed on the current implementation requirements to use https protocol. What I would have wanted was the possibility to encrypt the username token with the public part of the STS in some cases and use https in some cases depending on the configuration of the installation. What we ended up with was to use the standard RIA support for authentication, but extending the User object with claims so that the client could hide/show functionality that the server anyway would deny the user. We also chose to use IClaimsPrincipal and IClaimsIdentity on the server side even if the claims is created by the server itself. This will make it easier for us to move to a STS when the tooling for Silverlight becomes a little bit more mature.

Anyone else out there having experience with using WIF and Silverlight? I would love to here about your experience in that case.