Does ADFS2.0 provide custom authentication stores?

StackOverflow https://stackoverflow.com/questions/2827298

  •  26-09-2019
  •  | 
  •  

Question

I wanted to find out if ADFS2.0 provides a way for users to be authenticated with a Custom Store? Version 1.0 you could only authenticate users in the Windows domain, using Forms/Windows Integrated/Cardspace. I have an ASP.NEt website, which I would like the users to be authenticated against a custom store in SQL and then ADFS2.0 to take care of the claims issued to the user...

Was it helpful?

Solution

That's not entirely true. While in its default form, ADFS v2.0 only allows you to authenticate against Active Directory, there is a hybrid approach. You can set the authentication type to forms (modify the Web.config file of the ASDFS server in the \inetpub\adfs\ls directory).

Once set to forms, you can actually customize the ADFS signin page (FormsSigninPage.aspx) to do whatever custom authentication you want. Once the authentication passes, the rest of ADFS will pick back up where you left off.

Here's an article showing how to do exactly that: Customizing the ADFS Signin Pages

OTHER TIPS

(Information duplicated from another answer of mine, since the same answer applies here.)

The solution that is suggested in another answer to this same question is a bit misleading. If you read the actual blog post you see that they add an extra STS. AD FS 2.0 has a 'Claims Provider Trust' for that other STS, and redirects to it (if the 'home realm discovery' is set up correctly). That other STS then performs the authentication in whichever way it likes, sends a token back to AD FS, which then runs its claim rules.

So in that solution it is not AD FS 2.0 authenticating against an alternative store, but redirecting to an STS which authenticates against that store.

AD FS 2.0 itself does not allow authentication against a custom authentication store. (See this answer of mine for the official documentation at this point.)

ADFS 2.0 can only authenticate users in Active Directory. It can retrieve attributes from other stores (SQL, LDAP, custom), but not for authentication.

You might want to look at StarterSTS (http://startersts.codeplex.com/) as an alternative.

Eugenio

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top