User management in passive federation

Question

I have with usage of Windows Identity Framework (WIF) created IP-STS and three separate Relying Parties under the one federation. Federated Single Sing On and Sign Out scenarios work fine. This is prepared as an demo.

What is my problem ?

In production I have to unify 3 different web applications under the on identity roof. Currently all of these applications have different authentication and authorization mechanisms, in data store different set of tables are assigned for specific users etc. For sign on and sign out everything is clear to me. Problem is with creation of new users. Is there any general pattern in these scenarios. Why I am asking this. When you go deeper in this case you can find that is not so simple. For first web app we have a set of fields that have been supported (most of these are some enumerations from DB), from second set of others... So, I need to have all of the data for this process from all Relying parties. How to accomplish this ? One approach is to use set of IFRAMES or something like that ? Also I will need to have new user in each application because of relations tables in separate applications that relies on user entity. It looks to me very complex and I am curios is there any well known pattern for this cases. I am sure that I am not a first who have to unified totally different applications under one identity management.

UPDATED : I have found that this is part of the provisioning management or federated provisioning. Also I have found that it could be realized by SPML protocol that is going hand by hand with SAML protocol. Is there any protocol or point of integration in WIF for these purposes ?

Regards, Rastko

Answer 1

SPML is not supported by ADFS / WIF. SPML is normally provided by an Identity Manager as it is a provisioning protocol. ADFS is a STS not an identity Manager.

WIF does not support SAML - ADFS does.

There is a SAML CTP (a preview) out for WIF - Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview.

You could also use other open source products e.g. .NET Oracle OpenSSO Fedlet.

Update

Re. SPML - yes it's possible - it's just a protocol. There is an open source Java library and both open source and commercial for C# e.g. Softerra™ SPML2 Library.

You could have some RP using WIF and some using SAML - it's just a matter of configuration. To have both in the same RP would be difficult.

ForgeRock produces the OpenAM product which does both. It does not have the claims rule language richness of ADFS but works fine. However, configuration can be tricky. ADFS is free if you have the Windows Server license.