All geek questions in one place

Single Sign-On for Active Directory Integrated .NET Application

We have several clients using our web application (not an intranet), some clients want their username to be integrated with their Active Directory organizations. They just want the user to log in to their Windows account and be able to access the web application without entering user credentials.

I read several articles on ADFS, but still not sure how to integrate or implement them. Any suggested solution?

Thanks!

+6
source share
3 answers

If you are developing a .NET-based application, Microsoft provides a library called WIF , which is used to communicate with AD FS in a user-friendly way (configuration + a small adaptation of the code to receive claims from the authentication message provided by AD FS).

There are several protocols that support both AD FS 2.0 and WIF for SSO, the most common are (afaik) SAML 2.0 and WS-Federation. Both are built on XML messages, but you don’t need to know the details if you use WIF.

For WS-Federation, the WIF library provides a plug-in for Visual Studio that allows you to configure your site as a relying party using AD FS.

You can use the credentials in your database to identify users, you can actually configure the entire AD FS login page and authentication. However, a basic installation requires each user to be defined in your Active Directory. You can also use your database as a repository for claims (another database used by AD FS to provide trusting applications with user information). Please note that if you intend to use AD for AD FS, your AD FS service must have access to it and an LDAP request, which I'm not sure will work for you, if your users log in to their local domain, AD FS is not familiar with .


IF you are not required to support industry standard SSO protocols (SAML 2.0, which I mentioned), I'm not sure that implementing AD FS would be such a good solution. It makes you work in a certain way, which is not always convenient.

+3
source

Your question does not explicitly indicate whether you are limited to using ADFS to implement single sign-on. ADFS is definitely one way to do this. You can look at OpenID-LDAP (it was at www.openid-ldap.org, but the project is no longer working) and other identity providers as alternatives for implementing single sign-on.

One option is to implement an OpenID provider that uses integrated Windows authentication. They can install it in the DMZ, exposing it to the Internet, not ADFS. It can enable single sign-on in Internet Explorer and Chrome.

The implementation of the OpenID provider is a non-trivial matter. You will need to pay close attention to safety. Fortunately, there are a number of infrastructures, such as DotNetOpenAuth , that can help you.

When using OpenID, your "cloud" application will act as an OpenID link and get the declared identifier among other attributes from the OpenID provider. You must store this in your database to uniquely identify the user. You can choose an OpenID provider so that it can also provide your cloud application with minimal information such as email address, person’s name, etc.

The advantage of using OpenID is that your cloud application can continue to support other well-known OpenID providers, such as Google and Yahoo, without much change.

In the end, you will need to ask your customers which technologies are convenient for them. You will find that the lack of trust (a business trait) between organizations is most often a problem, not a technology.

+1
source

More details on the comments.

There is a good source here: AD FS 2.0 Content Map .

The e-book is here .

I could imagine one scenario in which you bind your cloud application to Azure ACS, your clients install ADFS on top of their AD and merge their ADFS using ACS. This will give you the functionality you need.

Update after comment:

ADFS can only authenticate against AD. It cannot authenticate against the database. It can get attributes from a SQL Server database, which can then be converted to formulas, i.e. It can use SQL DB for authorization.

If you want to authenticate to SQL DB, you can choose two options.

  • Create Custom STS
  • Use an existing “custom” STS, such as Identity Server , which allows you to use this feature.
0
source

Source: https://habr.com/ru/post/917913/

More articles:


All Articles