locked
Can I use ADFS as a handler of "single point identity" on a public website (+SSO too)? RRS feed

  • Question

  • Hi Guys,

    I want implement a public website for public users on the internet. In this project, I want use many web base software that existing in the market like DNN, Joomla, Wordpress, eLMS, mail enable and etc. At the first step I should go to integration these software with unique "identity server". This meant, these software should be work with my "identity server" and don't use their local identities. 

    For this structure,
    1- I want use AD around of ADFS as a handler single point identity and SSO,
    2- and for integration software with AD (e.g. MS Exchange or MS CRM or SfB) use AD LDS.

    But I have many challenge like:
    1- AD is not a good solution for web/public project and form base authentication has high security risk.
    2- If using AD around of ADFS for identity server, public users on the internet, how can do register to this identity server? (I don't want development any application for this step.)

    If this scenario has a bad solution for identity server, please offer to me or guide me about good solution for integrated identity server for using to a website. 

    Wednesday, February 1, 2017 9:10 AM

All replies

  • Why is AD not a good solution?

    ADFS only runs on AD (or a LDAP in ADFS 4.0).

    You can only federate applications that support WS-Fed or SAML 2.0 (and OpenID Connect in ADFS 4.0).

    Your applications need to support this.

    Adding this to ADFS is configuration - no code required.

    Wednesday, February 1, 2017 6:09 PM
  • I Completely agree with above resonse , but before everything, kindly ensure your application is claim aware & this is capable of consuming SAML token.
    Wednesday, February 1, 2017 7:07 PM
  • Hi nzpcmad1 and SurajitPoddar1,

    Thank you so much for your replace.

    In the last post I get below comment about this scenario:

    Mahdi Tehrani in this post say:
    "Talking about the possibility, Yes it is possible. But you need to consider a couple of things. Firstly, AD is not built in a way to be exposed to Internet. Secondly, you say you want anonymous users does self registration on website. Well why should you do that? I mean when you can store them in another DB, why you want to store them in AD? If you are really OK with security and cost, yes, I believe you can use forms based authentication and send them to AD to authenticate. But creating a portal to handle the task is all on you."
    And for self-registration say:
    "If you are insisting on using Active Directory within your application, you may need to create a portal with a login page and utilize forms authentication in that. Then pass them to Active Directory and gets authenticated. For each task you are interested (like password reset or ... ) you have to write a different workflow and honestly speaking you really have to spend time on configuring that portal in terms of security and workflows. This is a concept though and you have to do a lot of things to achieve it."

    And Martin in same post say:
    "it requires a Client Access License for every computer that is accessing it. Quite expensive for your scenario..."

    What about your comment? I don't know, what are comments of Mahdi and Martin about using ADFS in this scenario? And I don't know why don't discuss about it? Are these comments true? (Really using AD in this scenario has security risk?) 

    Wednesday, February 1, 2017 11:25 PM
  • Please a person answer to me, I am waiting for 10 days. I am need to this answer. Please help me if you can.
    Friday, February 10, 2017 12:14 PM
  • Hello - This is community based support. You get better chance to have an answer is the scenario is clear and the concerns clearly identified.

    SSO in the Active Directory world is provided by Kerberos/NTLM aka Windows Integrated Authentication. You have nothing to do to achieve SSO internally for Exchange, Skype, CRM... As long as the servers and clients are configured properly.

    Windows Integrated Authentication provides SSO only for domain joined machines and those machines needs to be able to contact domain controllers. So if the users are connecting from their own machine internally, they do not have SSO. If they connect from a domain joined machine but from the internet, since they cannot connect to the domain controllers, they do not have SSO.

    Windows Integrated Authentication provides SSO only for trusted users. Which means that the user account exists in the ADDS forest or in a trusted forest. If the user account is not in a trusted realm, no SSO.

    Now if you wish to develop an application exposed on the Internet. You will not have Windows Integrated Authentication SSO. But you can get some sort of user-agent (aka Internet browser) SSO thanks to cookies. For this you could use ADFS and WAP to publish your application externally. But it means the user account is a part of your ADDS forest or trusted realms.

    What do you if you want to open the published application to other accounts from the one you have in your forest? Well you could:

    • create them a account in your ADDS But this is a full account. If the user is not intended ever to connect to your ADDS environment, maybe it is a bit too much to create an account there. And the life cycle management of the account is also challenging. Does the account has vocation to stay there and sit for ever?
    • create an account in another database. It could be an AD-LDS instance for example. In that case you do not longer create ADDS account, which is good because it means that the account doesn't have any access to your ADDS resource. And you could use ADFS 2016 to give a mean to the user to authenticate against this AD-LDS (or any other LDAP v3 compliant directory). Still have an issue with user provisioning though. You also have an issue IF the application wants the user to be an ADDS users (case if the application is configured to do only Windows Integrated Authentication). This is why earlier in this thread it has been recommended to make your application "claim aware" instead of "Windows Integrated Authentication". Then you are more flexible
    • Use Azure B2C and give the ability for your users to create an account themselves (that solves a part of the account creation issue). But it also means that the application is "claim aware".

    We can add other comments and other options too, this is not an holistic list, just the top of my head.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 10, 2017 6:01 PM
  • Hi Pierre and very very thanks for your completely reply. Your answer is same thing that I was looking for.

    Yes, I know here is a community support, but I expect more from Microsoft community support and M.S. experts :)

    "create an account in another database. It could be an AD-LDS instance for example. In that case you do not longer create ADDS account, which is good because it means that the account doesn't have any access to your ADDS resource. And you could use ADFS 2016 to give a mean to the user to authenticate against this AD-LDS (or any other LDAP v3 compliant directory). Still have an issue with user provisioning though. You also have an issue IF the application wants the user to be an ADDS users (case if the application is configured to do only Windows Integrated Authentication). This is why earlier in this thread it has been recommended to make your application "claim aware" instead of "Windows Integrated Authentication". Then you are more flexible"

    1- Above answer is best solution for me. But this solution is when usable that users can create an account themselves (Like B2C azure services). Could you provide me a solution for this problem?

    2- For implement above solution, I need an application that use AD-LDS for store the users account and compatible with ADFS 2016. Could you offer me many applications that have this ability?

     
    Saturday, February 11, 2017 12:45 AM
  • Note that Microsoft also has an official support: https://support.microsoft.com/en-us/gp/support-options-for-business as you can see you can access it through different programs, MSDN, Premier contract, ...

    Regarding your inquiry...

    1. If you are using Azure B2C you don't need an AD-LDS to store your accounts. The account will be stored in an Azure AD domain. So then you application has to trust Azure AD as an identity provider. This does not require ADFS, nor ADDS.

    If you want to use your own database to store your users, yes you can use any LDAP v3 compliant directory services. Microsoft's one is AD-LDS. It's a Windows role that you can enable. But you will have to implement all the user lifecycle management in the application. So it is a lot of word ahead.

    2. I think I don't understand the question. You don't need an application which support AD-LDS for user repository, you need to build an application. It's your call. You have to do the coding.

    Hope this helps!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Saturday, February 11, 2017 1:44 AM
  • Hi again to you, and thank you so much for promote the Microsoft business.

    1- I don't want to use Azure service to my project for some reason like, I want store our users on-perm. Don't any solution for providing self-register except Azure-AD?

    2- If possible, I don't want development any application. I prefer using the existing software in the market. Don't any software that using AD-LDS or other LDAP v3 compliant directory services in the market?

    Thank you again for your coordination.

    Saturday, February 11, 2017 8:04 AM
  • Then I am afraid it is no longer an ADFS question.

    There are probably thousand of softwares doing this, it depends why in the first place you want to store the users' information (CRM purpose? Polls? Social? etc...).

    Note that we are fat from the original message you posted. I feel that this post is a bit drifting away from SSO and especially from ADFS.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, February 12, 2017 12:37 AM
  • My question is about implementation "Single point identity" by using ADFS/SSO for my website that has many services like CMS, LMS, Social Network, Mail, Shop and etc.

    At the first, I understood that using ADFS for access to "SSO" and "single point identity" is possible, but needed to an application that through ADFS can be store users information to AD-LDS. (And I don't want develop it)

    At the second step, I need this application that exist in the market. Do you help me about it? Because many friend like Mahdi Tehrani say, don't exist this application in the market and I should develop it, but you say "There are probably thousand of software doing this". Note this, I know each software have a local identity for itself (except MS products that could be use to AD/WIA), but I don't use it. I want to have a "single point identity" for all software that I use to my project.

    So, I don't think far from main question.



    Sunday, February 12, 2017 7:37 AM
  • If the application supports claim based authentication you are good to go.

    Cf the very first answer actually...

    What ever applications you buy OR code yourself, make sure it is compatible with SAML2 OR WS-Federation OR OAuth2 OR OIDC. Then you can use ADFS for the user's authentication (still have to manage your user yourself). And even have SSO IF the users database is AD AND the users connected from domain joined devices.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Sunday, February 12, 2017 5:11 PM
  • ADFS can only have one repository so either AD or AD-LDS.

    If you want both you need two ADFS farms which are federated.

    In terms of your dashboard, you need an "Identity Manager".

    There are tons of these, ranging from expensive commercial products to something like OpenIDM.

    Because you want this to write to AD / AD-LDS this has to be hosted internally.

    This rules out something like Azure B2C.

    An option is to use something like Auth0 that has a "service relay" that allows the external service to access AD / AD-LDS without having to punch holes through the firewall.

    Monday, February 13, 2017 6:29 PM
  • nzpcmad1 and Pierre Audonnet thank you for coordination,

    Updated post:

    1- I know that I should find the claim based applications for this project, but I can't find it. Do you know any application that have my require?

    2- Are you sure that ADFS supported OAuth2 and OIDC? 

    3- About SSO, the application in the dashboard position (in below image) can't handle it? 

    my project's structure shown on below image: (Please open on new tab for see true)

    Note: the application that I need for dashboard position (in below image), should work with AD-LDS for store the users information. (I don't know this require is correct or no, but I feel it should be like this.)

    Monday, February 13, 2017 6:42 PM
  • nzpcmad1,

    1- I want store users information on AD, but I don't want AD's schema changed, for this reason, I think, I should AD-LDS. But I don't know, how can I have credentials into AD and other information store in AD-LDS.

    2- I know OpenIDM. Are you sure this application can be work with ADFS and store users information to AD-LDS or AD?

    3- Yes, my require like Azure services that have self-registration, but I don't want use it. Do you offer to me many application that have these features?

    Monday, February 13, 2017 7:16 PM
  • In terms of ADFS, yes you can get other attributes from AD-LDS.

    In terms of OpenIDM, no idea. This forum is mainly for ADFS.

    Have a look around at what Identity Managers are available. I am not aware of any Microsoft based browser products that specifically target this.

    Tuesday, February 14, 2017 12:17 AM
  • My big question remained unanswered, really no any identity management application in the market that integrated with ADFS and store users information to AD / AD-LDS?

    Smile: This forum is for ADFS, and OpenIDM forum is for OpenIDM. Where I should ask my question about relation between ADFS and OpenIDM? :\

    Tuesday, February 14, 2017 8:42 PM
  • No body don't know, which software can solved my problem?
    Thursday, February 16, 2017 11:17 PM
  • You can look at this: https://www.microsoft.com/en-us/cloud-platform/microsoft-identity-manager

    • So use ADFS for Authentication and Federation.
    • Configure your apps to trust ADFS.
    • Use MIM to sync/create users/workflows etc. into the type of database you want. And use your apps to leverage those workflows/databases.

    We cannot really go further on this forum. I highly recommend that you share your application design on application design specialized forums.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 17, 2017 8:58 PM