Authenticate against client Active Directories in a Web Single Sign On

StackOverflow https://stackoverflow.com/questions/21532163

Question

I've been scratching my head over this issue for over a week. We have a web app that we would like to implement SSO for. SSO with windows active directories of our clients (i.e. we essentially need to authenticate against our clients' active directories without much trouble)

The only thing I am 100% sure about is that I will needed a security token service that will have to communicate with an Identity Provider. My question:

  • Which service is most suitable for the above scenario (AD FS? OpenID & OAuth 2.0? SAML 2.0 and shibboleth?)
  • How will I connect to the active directories of the clients? Maybe I'm not understanding how the STS is to be used, could anyone clarify? I'm working with an Azure Web App
  • Will there have to be a different IdP for each client? Will the client have to do more than just give us standard information? What would this info be?

...should I be using Windows Identity Foundation?

HELP :( ... this is an SOS

If anyone could clarify at all, I will forever be grateful. I normally upvote anything I find helpful and accept whichever answer is the best so feel free to answer with what you think might be useful in helping me understand how I can achieve what I am after.

Was it helpful?

Solution

These are the three options I know:

As you mention one option is ADFS this solution means that your customers should install and expose Adfs. ADFS means Active directory-Federation Services, so in this case your application needs to speak WS-Fed (not oauth). Typically if the user is inside the LAN adfs uses integrated auth, if not it will prompt credentials.

WAAD is a new service from Azure, it allows companies to expose their directories to use in cloud applications. With this approach your customers need an account in Azure, create a directory and use the dir sync agent. Your application will talk SAMLP with WAAD.

Auth0 is an authentication broker that allows developers to use social but also enterprise identity providers like AD but also google apps, waad, adfs, salesforce, etc. if your customer only has AD you will provide him an msi for a windows service, that will bridge the company AD with your auth0 account, you can have as many AD as you want. Your application speak oauth with Auth0. This agent supports kerberos authentication as well. The following graph explains this solution:

Disclaimer: I work for Auth0.

OTHER TIPS

WIF doesn't support SAML or OAuth.

Your application is in Azure.

Suggest add WIF to the application and then "bind" to Azure Active Directory. In VS 2013, use the "Change Authentication" feature for this.

Make the application multi-tenanted.

Each customer has their own tenant. User DirSync to sync. each customer AD with their AAD tenant. (That gives same sign-on). Adding ADFS to each customer gives single sign-on.

However, the customers will probably push back on this because of perceptions around security.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top