3

I have few mvc applications that are still in development and use Forms with SimpleMembership to register and authenticate users, these applications use same database and I have foreign keys all around to UserProfile table from simple membership.Recently I decided to give a shot to Federated security just to get SSO without reinveting the wheel, but there are few things I am confused about.

Should I set up Identity Server to use same database as my applications? (Then I could somehow put userID in claims or something, so I know how to get information from other tables for this user, is this correct?)

How is normal forms registration done when using federated security? (I am thinking that registration could be done in any application, insert rows in tables which Identity server uses or adjust STS to user simple membership tables for authentication,is this correct?)

Is it possible to authenticate users from each individual RP(mvc application) and still get SSO without redirecting user to STS? (somehow with internat HTTP requests)

What happens when STS fails? Are users then unable to login to any application? Is there any solution to this?

formatc
  • 4,261
  • 7
  • 43
  • 81

1 Answers1

4

Should I set up Identity Server to use same database as my applications?

If you want to, you can.

How is normal forms registration done when using federated security?

This is up to you and (currently) outside the realm of IdentityServer.

Is it possible to authenticate users from each individual RP(mvc application) and still get SSO without redirecting user to STS?

Not really -- SSO via the browser is all about doing redirects back to the IdP because the user is logged into the IdP via the browser. Only when the IdP is confident of the user's identity will it then issue a token to the RP.

What happens when STS fails? Are users then unable to login to any application? Is there any solution to this?

The STS is a critical part of your enterprise, so you want to do everything you can to ensure it's up.

Brock Allen
  • 7,385
  • 19
  • 24
  • Thank you for your answer, lack of examples is real pain, it seems like you know this stuff, since this is crossdomain, is it required to have SSL cert for each domain or just for STS? – formatc May 30 '13 at 20:13
  • You need SSL on all sites. I mean - only if you care about data protection on the wire of course ;) – leastprivilege May 30 '13 at 20:38
  • @leastprivilege Well that kind of sucks, but oh well. Would it then be safe to have form with username/PW and buttons to web identities logins on RP and redirect POST form to STS? I wold like to make it easy for users to login? – formatc May 30 '13 at 20:57
  • @Unavailable you could dynamically configure homeRealm to tell the fp what your user choose in your UI. This way the user sees their provider not knowing that they first went to the fp. – Leblanc Meneses Jan 13 '14 at 23:19