Can ADFS 3.0 delegate authentication to a non-ADFS identity provider through a federation trust relationship?
Yes. We see customers regularly interop with multiple identity providers. These span across traditional federation vendors as we as cloud IDP's as well as cloud SaaS apps.
Check out http://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-content-map.aspx#Interoperability_with_Non-Microsoft_Products. Some of the content is old, but the concepts are pretty much the same.
Thanks // Sam (#MrADFS)
Related
I am migrating a public website away from ASP.NET Membership. My plan so far has been to use ASP.NET Identity with Entity Framework and SQL provider. However before doing this work, I am considering other options including Azure Active Directory for authentication management. What are the pros and cons of using Azure AD compared to ASP.NET Identity?
That all depends on your requirement .
Maintaining your own identity system has a higher degree of freedom ,you could adjust the identity system on the basis of detailed application requirements.
Azure AD is a multi-tenant cloud based directory and identity management service ,lets you focus on building your application by making it fast and simple to integrate with a world class identity management solution used by millions of organizations around the world ,if requirement is implementing Single SignOn( SSO) using on premises identity, Cloud only identity, Federation (or authentication) against Cloud SaaS applications,you can take advantage of AAD. please click here for introduction about Azure AD .
I understand that the use of Azure B2C and ADFS together is not supported.
What are my options if I need both Facebook/Google for customers and ADFS for partners?
I know creating my own STS using IdentityServer, and fedearating to Azure B2C or ADFS would be an option, but then again - building my own STS is what I hope to avoid.
Regards
Larsi
UPDATE
B2C can federate with ADFS. Follow B2C MSDN Doc to federate.
OLD ANSWER
B2C at the moment does not allow federation to other STS.
Also it only supports OpenID Connect which is only available on ADFS 4.0 - Server 2016.
You can get this working by using IdentityServer as a bridge. Hook ADFS up via federation and B2C up via OIDC. Note that B2C uses an OAuth extension for the policies so you need some custom code in Identity Server to support this.
You can also use ACS and federate this with ADFS. (Although ACS will be deprecated "soon").
Refer: Azure B2C : Integration with IdentityServer
Or use a third party tool e.g. Auth0 as above.
Auth0 has tons of social providers!
This use case is trivial if you use Auth0.
Your app --> Auth0 -+-> Social logins (FB, Google, etc)
|
+-> ADFS Customer 1
|
+-> ADFS Customer 2
DISCLAIMER: I work there.
I've been reading a lot about OpenID and OAuth but having trouble making just a few connections about how they would work in a service-based architecture.
Here's my scenario:
I'm writing new ASP.NET Web API services (RESTful/JSON)
These services will be used by client applications (current desktop website, new mobile website, and possibly a PHP website or JavaScript-only client in the future)
Our desktop website currently uses ASP.NET Membership Provider (webforms)
The new set of API services we are creating should handle everything, including Authentication and Authorization.
My questions are:
Since we have explicit control over the client applications accessing our API (i.e. this isn't a public API but rather one for integrating approved partners) do we necessarily need OAuth?
Would OpenID replace our .NET Membership functionality, or complement it?
Given that we would need to authenticate users with the legacy system using Membership Provider, do we need to use some sort of .NET Membership OpenID Provider, or do we just authenticate as usual and grant the user a Membership Token like we currently do?
I guess, in summary:
I'm writing some new services
They should be usable by ANY approved client application, for users of that client application
We need to continue to support our .NET Membership data
Sorry these are basic questions but I'm sure they're easily answered. Thank you!
Look at ThinkTecture's Identity Server
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
It uses repository patterns for user stores, and uses the default membership provider as the user store - you would be able to easily plug-in your legacy membership provider.
OpenID connect would work on top of your membership provider, and you'd enable the option to only allow registered relying parties - meaning that only your approved clients (applications) would have access.
This seems like a perfect fit - hope this helps.
Matt
We manage a website that runs of the .NET 4 framework and we need to implement SAML 2.0 to support single sign on. We do not wish to run Active Directory federation services as all user accounts are stored in a SQL server. What do I need to consider when developing a single sign on service whereby we are the identity provider?
I work with SiteMinder Federation Services (SMFSS) and Federtation Manager for CA. Are you planning on also doing Authorization for the SP based on Attributes? Do you have an Authorization SSO Solution already? IF so what is it? If it is SiteMinde then the fastes easiest to impliment solution would be SMFSS. Aside from from ServletExec and Java JDK bugs which are pretty much fixed up now I can get customers who have never used Federation up and running in a day for a SAML 2.0 POC. So, if you do have SiteMinder I would give that a try and I am sure you will be quite pleased. If not we also have Federtion Manager which can run as a proxy into your site or not. We have customers who do things such as use the SiteMinder access logs to charge users for access to SP sites a certain charge per access. We have the attribute Authority so that if you want to provide Authorization based on user attributes you can do that. If SMFSS is on the SO side you can just have the attributes stored on the SPO sides session store. Can you tell more about your use case? When SiteMinder was orignally created one of the uses cases was for SSO between different web servers, etc.
Let me know if I can help with any follow up questions and have a splendid day!
Thanks!
Crissy Krueger Stone
CA SiteMinder Support
Based on your initial requirements, you should take a look at PingFederate from Ping Identity [Note: I do work for Ping I'd]. It can support multiple databases and directories simultaneously as well as provide multi-protocol support in both an IDP and SP role. We can also support different development languages you may have beyond. NET.
HTH- Ian
We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.