All geek questions in one place

What is the best approach to SSO with internal AD users and external users?

We have a web application (asp.net mvc 3) that should support SSO for internal use through AD. We also have a large community of external users that we want to have SSO for all of our web applications. for example: external_user1 accesses webappA, webappB and webappC all with the same name. In addition, the domain \ user1 has access to all three webapps. we plan to use WIF and ADFS 2.0.

We don’t want to have AD accounts for all external users, so in the past we could try the solution with ADFS 1.x and ADAM. however, we are on Windows Server 2008 R2, and ADFS 2.0 cannot use AD LDS (ADAM successor) to authenticate users.

What is the SSO approach (using Microsoft products)?

+6
source share
4 answers

The key question is: can you use the external_user1 account store or not. If you can, then you just need to add another trust between your ADFS and their STS, and you're done! This approach would be ideal, because then you would no longer need to support external_user1. Essentially this:

enter image description here

If you cannot use user accounts, then you can still use ADFS v1.1 and trust yourself:

enter image description here

+5
source

Failed to create a custom STS that allows authentication with ADAM and has trust with ADFS v2.0?

+2
source

In addition to Eugenios, answer, you should learn Microsoft Azure ACS. This will give you a federation of Gooogle, Facebook, Yahoo and other OpenId providers.

Your authentication chain will look like this:

Your application β†’ ADFS β†’ Active Directory or your application β†’ ADFS β†’ ACS β†’ Google.

Find the ADFS tag on this site and you will find many related posts.

+1
source

Although this question was for ADFS 2.0, in which LDS was disabled as an identity provider, it looks like it will be re-introduced in ADFS 4.0

https://technet.microsoft.com/en-us/library/dn823754.aspx

https://jorgequestforknowledge.wordpress.com/2014/10/20/configuring-a-new-identity-store-as-a-claims-provider-in-adfs/

0
source

Source: https://habr.com/ru/post/890194/

More articles:


All Articles