What functionality does ADFS provide that is not in ThinkTecture IdentityServer 2?

Question

I'm trying to figure out the right architecture from a mix of current .NET authentication/authorization offerings. One question that I haven't been able to find much online information on: What are the benefits of having ThinkTecture IdentityServer 2.0 federate ADFS 2 (which is authenticating domain users using Active Directory credentials), vs having IdentityServer authenticate users against the domain directly?

For my company, I see only 3 possible requirements for ADFS 2, but I'd prefer to avoid installing it if IdentityServer is sufficient (mainly because it's open-sourced, and therefore more readily debuggable, extensible, and understandable):

1. Claims-based authentication of corporate (Active Directory) users.
2. Support for Office365 SSO - there are directions for integrating Office365 with ADFS
3. Federating external (business partner) ADFS services (we don't currently need this, but I'd like to keep the option open)

Is any of this functionality not provided by, or not easily added to, IdentityServer 2.0?

Answer 1

IdentityServer is a really good product but:

• Only authenticates against SQL not AD
• Doesn't have SAML support - useful for third party integration e.g. SalesForce
• No rich claims rules language

which ADFS does for you.

@leastprivilege answered the first - the rest are definitely not trivial to add.

Don't have much experience with Office 365 but it sits on top of Azure Active Directory which can be hooked up with IdentityServer - refer Federating IdentityServer with Windows Azure Active Directory.

Answer 2

Well IdSrv does not do Windows authentication out of the box. It would be easy to add forms based authentication for AD users - but Windows integrated (SSO) would be more involved.