All geek questions in one place

Is it possible to create a new user through ADFS?

I am studying what is involved in setting up a single character using SAML and ADFS. The request has returned, I can not answer and can not find anywhere.

Is it possible to perform normal user actions through ADFS? For instance:

  • Can I register new users through ADFS?
  • Can I provide a forgotten password / reset password function via ADFS?

I am embarrassed and feel like I'm barking on the wrong tree!

+4
source share
3 answers

No, AD FS only provides security tokens for Active Directory accounts, providing specific credentials for that account. It does not make any changes to Active Directory anywhere.

No, AD FS does not have a "reset password" function. However, AD FS subscription pages can be customized, and password change (AD) functionality can be added by configuring / creating the appropriate ASP.NET pages. Been there, done it. Sorry, I cannot share this code.

(This answer only applies to AD FS 2.0, I'm not sure about AD FS 1.0.)

+4
source

@Marnix is ​​correct - ADFS is an "access manager", not an "Identity Manager".

How you can customize pages, there is nothing that would prevent you from creating resource creation pages or adding links to the provisioning system.

Word to the wise: "standard" provision of ASP.NET pages for an SQL database that doesn't help you. ADFS is authenticated only for AD. You need to use AD membership.

In addition, for internal users who log onto their desktop with WIA and SSO behind the scenes in ADFS, you get standard password functionality, for example. password expires, change password, etc.

+2
source

In addition to this: Microsoft has another product that integrates with ADFS (and other authentication mechanisms) called Forefront Identity Manager, which provides a password for reset / self-treatment of the user, as well as account creation through delegated penalty rights. All this using the web interface.

I think this is what you are looking for.

However: adfs themselves are just a tool for securing federation and single sign-on - so they exist for authentication / delegation, not for mangement.

0
source

Source: https://habr.com/ru/post/1399226/

More articles:


All Articles