Identity and Access Tool

Microsoft Free

Identity and Access Tool for Visual Studio 2012. Use this package to secure your application with claims based identity and accept users from multiple identity providers.

(33) Review
Visual Studio
Download (79,787)
E-mail Twitter Digg Facebook
Add to favorites
Reviews (33)
Q and A (52)
Sign in to write a review
Sort by:

by Zainu | June 20 2015

Thanks and it worked very easily.

by leis-ray | October 09 2014

Works fine to me

by Ed (DareDevil57) | August 14 2014

Thank you

by Aaron [MVP] | January 10 2014

by Amsterdams | November 22 2013

I get this error
{"No version of the CardSpace service was found to be installed on the machine. Please install CardSpace and retry the operation."}

I was trying to implement this

I have both 2012 and 2012 VS installed. Not sure if that is the problem

by Simerjot Kaur | October 11 2013

Unfortunately I have not been able to use the tool get which is very sorry since I really need such a tool. Even in a very simple scenario with a wcf service application and a windows console application when using the adfs it won’t work for me.

When executing the whole i always run into following exception:
{"No version of the CardSpace service was found to be installed on the machine. Please install CardSpace and retry the operation."}

by Vinny Jo | August 29 2013

Using ADFS 2.0. With Claims.... and Framework 4.5 (Mvc 4 project template)
Few issues:
The web.config produced contains issuerNameRegistry\authority and should be issuerNameRegistry\trustedIssuers (Framework 4.5)

the FederationMetadata.xml does not have any details about ds:Signature, KeyDescriptor, fed:ClaimTypesRequested. (can not specified certificate)

Tried Visual studio 2010 (Claim web project template) Add STS Reference option produced the right FederationMetada.xml.

by Mithun_daa | August 13 2013

I ran into the same issue as some of you here where the package was failing to load. Please make sure you close all instances of VS and restart it.

by ytr32323 | July 22 2013

by Srilatha Inavolu - MSFT | June 19 2013

Hi All,

Please run "devenv.exe /ResetSettings" if you have issues with VS loading the package.

If that doesn't work, please try the remaining steps in this post :

Hope this helps,

by shriji1111 | June 05 2013

I found an error with this tool... it seems that it's bug
for more detail you may refer my microsoft forum page

by Quynh H. Nguyen | May 20 2013

by Vittorio Bertocci - MSFT | May 17 2013

Sorry to read that you are having issues with the tool and Update 2.
I have Update 2 on multiple machines and the tool works as expected. If you want us to help troubleshoot, I suggest you use the Q & A tab.

by rjygraham | May 16 2013

+1 for broken in Update 2. Still broken in Update 3 CTP even after an uninstall/reinstall.

by ggobbe | May 14 2013

Not working on visual studio 2012 update 2... The Identify and Access menu (to add an STS Reference) is missing.

by David Donabedian | May 12 2013

Not working with VS2012 Update 2

by Frank Robijn | May 11 2013

This type of extension is very welcome, but the current version is difficult to work with - it might not work at all. Tried to use it on a very simple WCF project, but it complains about a missing certificate. It tells you where to expect it (at C:\Users\...\AppData\Local\Microsoft\VisualStudio\11.0\Extensions\uv2jfeqz.qr2\LocalHost.pfx) and behold - that file exists! Unfortunately there is no information at all on how to solve this type of problem. It's a mess.

by Sergio Parra | April 27 2013

Thanks! nice job!

by Per Ekstedt | April 26 2013

Unfortunately I have not been able to use the tool get which is very sorry since I really need such a tool. Even in a very simple scenario with a wcf service application and a windows console application when using the local development STS it won’t work for me.

I can successfully configure the service application just clicking next and with SAML 2.0 chosen and it seems right even when I make a service reference in the console application to.

When executing the whole i always run into following exception:
{"No version of the CardSpace service was found to be installed on the machine. Please install CardSpace and retry the operation."}

Sometimes the LocalSTS don’t start but I get the error started or not.

Am I alone on this?

by _arash | April 07 2013

Thanks, it's great to see things are improving with identity tool

1 - 20 of 33 Items   
Sign in to start a discussion

  • Identity and Access Context menu entry
    3 Posts | Last post January 21, 2016
    • There is none, even restarting VS2012 did not help.
      Extension manager shows that it is installed.
    • Installed the tool per instructions.
      Initially had a problem with "Identity and Access..." menu showing, but once I changed my project's .NET framework to v4.5, it showed up.  Using VS 2012 Ultimate on Win7.
    • A (positive) suggestion: MS put together some simple one-page samples of ADFS / Azure ACS authentication via WIF.
      Then someone at MS does the same Boogle searches we do, and posts the links to the samples in each forum / blog etc. 
      How does that sound?
  • VS2013
    11 Posts | Last post January 21, 2016
    • Is this built into VS2013, or is there an updating coming?
    • Interested in this as well.
    • I also really need an update to this extension for VS2013, or some documentation on how it's built in.
      Anyone in the same situation might like to try this as a temporary work around:
    • +1 everyone else here. Can we get some feedback on when an updated tool will be available, or if there is a new procedure for handling this?
    • Can someone out there please let us know the situation with 2013???
    • Hi all,
      the Identity & Access tool was shipped out of band as a VSIX in VS2012 given that the timelines did not allow to integrate it in VS2012 itself.
      In VS2013 we added support for claims-based identity directly into the ASP.NET project creation experience (see, hence there are no plans of porting the Identity and Access tool to VS2013.
      We are aware of the fact that as of today the feature set of the two approaches are not 100% equivalent. VS2012 and VS2013 work well side by side, if you depend on functionality only available on the Identity & Access tool we recommend you keep both available until functional parity is reached (see below).
      Here there are some comments on the main differences:
      - Re-entrancy. Right now VS2013 can configure authentication only at project creation time. Re-entrancy is being considered as a feature for a future update
      - ACS support. As detailed in, ACS will not receive further investments hence VS2013 will not support it directly. AS equivalent ACS functionality appears in Windows Azure AD, VS2013 will expose it accordingly
      - Local STS. Support for Local STS didn't make it in VS2013. There are community driven alternatives (see - let us know if those cover your needs or if you really want the Local STS functionality back in the VS2013 tools
      Thank you!
    • So I came to need this app due to downloading the WIF Samples, which requires it. I'm using the WIF samples because .Net 4.5 has rendered 99% of the online documentation for STS useless. But to use 4.5, I'm running 2013. Which doesn't support this tool. Maybe it doesn't matter, since the sample throws errors out of the box due to AspNet compatibility being enabled. The whole situation is just a complete mess.
    • "AS equivalent ACS functionality appears in Windows Azure AD". This is simply not true, there is merely a promise to support all of the scenarios that ACS currently enables. So basically your whole justification is absurd. I should not need to move backwards in visual studio versions to get this working, period.
    • I want to agree with Keith in saying that this whole WIF roadmap and available tools is a complete mess!  The inability to create the most basic of WIF examples in VS 2013 is ridiculous.  As of today there are no online examples on getting this to work, only some cryptic "it's already built in so it makes it easier".  Well if you are coming in brand new, one would assume that there was a "Hello World" example.  No, the only example is for VS 2012, which is different than VS 2013 due to some package renaming!  And, the development tool for VS 2012 doesn't even exist in VS 2013?!  And not to mention the 'how to' for VS 2012 doesn't work with the Identity tool because they made is "stricter" which breaks it completely?  Here is part of the error: "ID8030: The value of the 'type' property could not be parsed. Verify that the type attribute of '<issuerNameRegistry blah blah blah..."  Absolutely rediculous
    • Please, put the local STS feature back. It was very helpful. Also I would like to see support for it in the project creation wizards. At development time, especially in the beginning of projects, STS may not be readily available at all. How about working from home or on the road.
      In general I'd agree with the posts above about the messy story of WIF in VS 2013/.NET 4.5/msdn/Vittorio's book/etc.
      Is there a place where we can we vote for features and fixes?
    • I agree with many others, the whole thing is a heap of fetid dingo's kidneys. 
      It started with the Microsoft.Identity namespace which became System.Identity in the "highly compatible in-place upgrade" 
      The web is full of people struggling to work out the right config settings, is it <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089">
       <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
            <authority name="">
      answer - it depends.
      I've spend days trying to get a simple one page webforms site to authenticate against our ADFS, let alone modifying our existing web app (which started on .Net 1.0 and is now newly upgraded to 4.52.)
      The documentation on MSDN is hopeless, just explaining what the namespaces are, not how to use the damn thing, and the blogs and samples people have kindly posted are from every version (attempt) of WIF, so we spend hours filtering the irrelevant.
      Not everyone has the luxury of starting from scratch (I have, twice, in the past 30 odd years) 
      We all have to maintain / upgrade existing apps and sites.
  • There is no clear test example working with LocalSTS
    2 Posts | Last post September 09, 2014
    • Personally to me, never worked with authentication services before, it's absolutely unclear, how to make this claims authentication work.
      For instance, I have now forms authentication in my MVC application.
      I want to switch to single sign-on.
      I want to start with simple: having LocalSTS only.
      So, I want to submit my form to LocalSTS, gets authenticated and proceed working with my application. I cannot see clear sample, how to do this. Everything is too complicated.
    • "I cannot see clear sample, how to do this. Everything is too complicated."
      Amen and +1 to that brother.
  • Federation Metadata needs authentication
    3 Posts | Last post July 03, 2014
    • Our Federation metadata file needs authentication and in the Identity and Access tool there is nowhere to enter any kind of credentials. In the many examples on the web, never came across one that showed the federation metadata needing any authentication. So is it even normal to have authentication for the metadata?
      I accessed the metadata using postman, copied it locally and tried to add it manually, but the tools says "The root element of a metadata document must be either an EntitiesDescriptor or an EntitiesDescriptor". The file has edmx tags and none of the above root elements. Is the tool showing the error due to an actually invalid metadata file?
      Many Thanks.
    • Never mind. I figured it out. Was given the wrong file/location for the metadata. Sorry I cannot delete my earlier post.
    • Completely agree with other users who are complaining about lack of Identity and Access tool in VS 2013. This just stops us from using open source Identity servers.
  • creates invalid element in web.config
    2 Posts | Last post June 30, 2014
    • When the tool manipulates web.config, it creates an invalid node under <issuerNameRegistry>:
       <authority name="LocalSTS">
                  <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" />
                  <add name="LocalSTS" />
      it should be:
                      <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
      Or am I missing something?
    • Have you solved the problem? I'm facing the same issue here, and in addition, the extension didn't create the FederationMetadata.xml file in the project, though it added the following element in web.config:
        <location path="FederationMetadata">
              <allow users="*"/>
      Can someone shed some light on this?
  • Work with older projects converted to VS 2012?
    2 Posts | Last post June 11, 2014
    • Should the Identity and Access Tool be able to work with projects that were converted from VS 2010 to VS 2012 projects?
      When I create a new project in VS 2012, I can see the "Identity and Access" context menu.  However, when I open an older project and migrate it to VS 2012, I don't see the context menu.
      Is there any way to make the "Identity and Access" tool work with these older converted projects, or is the only solution to create a new project and move the source code into it?
    • The Project should be running on .NET framework 4.5 for the menu item to show up. Right click project in solution explorer, click properties and check version and change if required. Restart VS 2012 and the menu should show after that.
  • I can not install Identity and Access Tool
    4 Posts | Last post June 09, 2014
    • Dear Friends,
      I have tried to download and install Identity and Access Tool, but I received this error message when I tried to install it:
      "Installation Failed. The installation was unable to install the extension to all the selected products. For more information, click on the install log link at the bottom of the dialog. This extension is not installable on any currently installed products."
      This is the install log:
      [Not Before]
        1/25/2013 5:33:41 AM
      [Not After]
        4/25/2014 5:33:41 AM
      5/25/2014 10:25:28 AM - 	Supported Products : 
      5/25/2014 10:25:28 AM - 		Microsoft.VisualStudio.Pro
      5/25/2014 10:25:28 AM - 			Version : [11.0]
      5/25/2014 10:25:28 AM - 
      5/25/2014 10:25:28 AM - 	References      : 
      5/25/2014 10:25:28 AM - 		-------------------------------------------------------
      5/25/2014 10:25:28 AM - 		Identifier   : Microsoft.VisualStudio.MPF.11.0
      5/25/2014 10:25:28 AM - 		Name         : Visual Studio MPF 11.0
      5/25/2014 10:25:28 AM - 		Version      : [11.0,)
      5/25/2014 10:25:28 AM - 		MoreInfoURL  : 
      5/25/2014 10:25:28 AM - 		Nested       : No
      5/25/2014 10:25:28 AM - 
      5/25/2014 10:25:28 AM - 
      5/25/2014 10:25:28 AM - Searching for applicable products...
      5/25/2014 10:25:28 AM - Found installed product - Microsoft Visual Web Developer Express 2010
      5/25/2014 10:25:28 AM - Found installed product - Microsoft Visual Studio Ultimate 2013
      5/25/2014 10:25:28 AM - Found installed product - Microsoft Visual Studio Premium 2013
      5/25/2014 10:25:28 AM - Found installed product - Microsoft Visual Studio Professional 2013
      5/25/2014 10:25:28 AM - Found installed product - Microsoft Visual Studio 2013 Shell (Integrated)
      5/25/2014 10:25:28 AM - Found installed product - Global Location
      5/25/2014 10:25:28 AM - VSIXInstaller.NoApplicableSKUsException: This extension is not installable on any currently installed products.
    • Visual Studio 2012 not Visual Studio 2012. See other messages in this thread.
    • Not Visual Studio 2013
    • Thank you steven for your answer :)
  • Windows Azure Active Directory option not working
    1 Posts | Last post February 26, 2014
    • I am following the steps on the webpage ‘How To: Enable WIF for a WCF Web Service Application’
      I have got this working using the ‘Use the Local Development STS to test your application’ option and am now trying again this time selecting ‘Use a business provider (e.g. Windows Azure Active Directory..’ but unfortunately have not been able to get it to work.
      My first problem arises when I try to add my Service Reference Step 2.4.
      At this point I receive the following warning:
      Custom tool warning: Obtaining metadata from issuer '' failed with error 'System.InvalidOperationException: Metadata contains a reference that cannot be resolved: ''. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at that could accept the message.
      If I continue and complete the project when I attempt to run it a Windows CardSpace form appears containing the following message:
      The following error occurred: Incoming policy failed validation
      I initially experienced the same problem when selecting the ‘Use the Local Development STS to test your application’ option and eventually found a solution on this forum.
      I resolved my problem by editing the web.config immediately after completing Step 1, point 6 as follows:
              <binding name="">
                <security mode="Message">
                    <!--issuerMetadata address="https://localhost/adfs/services/trust/mex" /-->
                    <issuerMetadata address="http://localhost:12330/wsTrustSTS/mex" />
      However, despite repeated attempts I cannot find the correct value to put in this element when using Azure. 
      Kind regards,
      Liz Guess
  • Documentation for VS 2013 "organizational accounts"
    1 Posts | Last post February 26, 2014
    • Same as everyone, would like to see this better documented. Vittorio's response is helpful, but roadmap for ASP.NET Identity does not mention the WAAD area.
      At least for now, the configuration done by the "Change Authentication" button seems to be consistent with past documentation. I point to this article for a solid page describing the web.config sections we need to be aware of:
      Been trying to use the WAAD integration since the VS 2013 preview. Admit to being pretty confounded.
  • SvcUtil Unable to obtain Metadata from LocalSTS
    4 Posts | Last post October 31, 2013
    • I've been trying to use both "Add Service Reference" in Visual Studio and SvcUtil to generate the config for a client program from a service which was setup to use the LocalSTS as the IP using the Identity and Access Tool. The issuer address for the client config is "" which I suspect is incorrect.
      When I run SvcUtil against the service I get an error that it is unable to download the metadata from the LocalSTS.  The error is the following:
      Error: Obtaining metadata from issuer 'https://localhost/adfs/services/trust/mex' failed with error
      'System.InvalidOperationException: Metadata contains a reference that cannot be resolved: 'https://localhost/adfs/services/trust/mex'. --->
      System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'. --->
      System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --->
      System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
      I looked in the certificate store and the localhost cert is in the Local Computer Personal store, but not in the Trusted Root Certificates store.  I tried adding it to the Trusted Root Certificates with no change in the results.
      I was just wondering how I could get Add Service Reference and SvcUtil to work so that I could generate my client side configuration?
    • While continuing to investigate this I noticed that the Identity and Access Tool puts an issuer metadata address into the config file of "https://localhost/adfs/services/trust/mex" instead of the correct value of "http://localhost:15196/wsTrustSTS/mex" where 15196 is the port number assigned in the tool.  When I substituted this into the service config and ran Add Service Reference, it generated an issuer address of http://localhost:15196/wsTrustSTS/.
      So there seems to be a bug in the Identity and Access tool that it does not insert the correct issuerMetadata address when the LocalSTS is selected.
    • THANK YOU!  I had this same issue.  I kept getting the "windows cardspace" "Incoming policy failed Validation" error.  This post saved me.   
      The issue I had before this one had to do with the first time I tried to use the Identity and Access extension:
       1. the reference to the Security.IdentityModel.Tokens.ValidatingIssuerNameRegistry wasn't created and I had to find it and add it.
      2. the Config file for the client didn't generate the ws2007 Binding at all.  Even after fixing #1.  I had to manually add it.
      Then, I ran into this issue here... Thank you for posting the fix. :)
    • I passed the same point (finally got rid of that "windows cardspace" thing), but now when I check the value of "OperationContext.Current.ClaimsPrincipal" in my web service, I got null.  What can be the problem?  My gut feeling, once again, tells me that it's probably something in the config files (either web.config for the web services, or app.config for the desktop WPF app which act as a web service client).  
        I realize that for web services I should use WSTrust instead of the older WSFrederation.  But in the web.config for the web service, I still have this:
      <add key="ida:FederationMetadataLocation" value="http://localhost:12053/wsFederationSTS/FederationMetadata/2007-06/FederationMetadata.xml" />
      Can it be a problem?
      BTW, I was following the MSDN tutorial, "How To: Enable WIF for a WCF Web Service Application" (
1 - 10 of 52 Items