3

I want to build an application that is independently work with any of the identity providers like(ADFS,OpenAM, oracle identity). My purpose is to validate the login users from any one of the IDP's what ever is configured to implement my SSO.

I am not sure which one is good among DotNetOpenAuth 2, OAuth.net and Microsoft.OWIN.Security.oAuth.

Please help me to move in the right direction

Many Thanks

user2724058
  • 318
  • 5
  • 20

2 Answers2

3

None of those libraries will help you with those products.

  • ADFS implements WS-Fed or SAML Protocol
  • Oracle Identity Federation implementes SAML Protocol
  • OpenAM implements SAML Protocol

The libraries you mention implement:

  • DotNetOpenAuth: OAuth1a and OAuth2 or OpenID
  • OAuth.Net: OAuth2
  • Microsoft.OWIN.Security.OAuth: OAuth.

The best way to address this challenge is to build an intermediary service between your applications and these identity providers.

There are a couple of options:

  • Use Microsoft ADFS as an intermediary. This would require to setup a server with ADFS and you will only support SAMLP / WS-Fed (Oracle Identity supports that).
  • Use Microsoft Windows Azure ACS as intermediary. This is service provided from Windows Azure. This would support only connecting with ADFS and some social providers (Google, Facebook and Windows Live), but not with SAML providers like Oracle/OpenAM.
  • Use a a service like Auth0. This is a service provided as an Add-on on the Windows Azure Store. It supports enterprise identity providers (like ADFS or any SAML Protocol or Windows Azure AD), social providers (Google, Faceobok, Twitter, GitHub, LinkedIn, Windows Live, etc.) and even connecting it with your own database and handle one authentication scheme for all, including flowing the identity to APIs if you have.

Disclaimer: I work for Auth0

Hope this helps, Matias

woloski
  • 2,863
  • 16
  • 14
  • I think the future is of oAuth and now following services support oAuth 2.0 ADFS 2012 R2, new version of OpenAM and oracle and also social sites support oAuth. I Just want to support non social IDP's so the intermediate service u mentioned should be web based or web API and what type of information this service will contain? – user2724058 Dec 30 '13 at 14:04
  • It's true that there is a tendency towards simpler protocols like OAuth2. But SAML will keep strong since lots of companies adopted it. And also, OAuth2 is a protocol with multiple implementations (same Oauth2 implementation that you use to connecto Facebook, won't work for Google for instance). If you want to support non-social IDPs then most of them will use SAML. Implementing this intermediary service is not trivial, that's why I recommend using a product/service. – woloski Dec 31 '13 at 12:09
  • ADFS 2012 R2 support oAuth 2.0, OpenAM and oracle identity new versions also support oAUth 2.0 and also all the social sites now support oAuth 2.0. My point was is there any API's available that are built on the complete oAuth 2.0 RFC so that we can use them to support all the non-social IDP's? – user2724058 Dec 31 '13 at 13:49
1

Agree with @Matias - this is not a trivial issue.

Far better to use something that's out there already.

Another option might be Authorization Server. That gives the full OAuth support plus federation capabilities with ADFS, OpenAM and Oracle Identity.

rbrayb
  • 46,440
  • 34
  • 114
  • 174