0

I'm trying to figure out the right architecture from a mix of current .NET authentication/authorization offerings. One question that I haven't been able to find much online information on: What are the benefits of having ThinkTecture IdentityServer 2.0 federate ADFS 2 (which is authenticating domain users using Active Directory credentials), vs having IdentityServer authenticate users against the domain directly?

For my company, I see only 3 possible requirements for ADFS 2, but I'd prefer to avoid installing it if IdentityServer is sufficient (mainly because it's open-sourced, and therefore more readily debuggable, extensible, and understandable):

  1. Claims-based authentication of corporate (Active Directory) users.
  2. Support for Office365 SSO - there are directions for integrating Office365 with ADFS
  3. Federating external (business partner) ADFS services (we don't currently need this, but I'd like to keep the option open)

Is any of this functionality not provided by, or not easily added to, IdentityServer 2.0?

crimbo
  • 10,308
  • 8
  • 51
  • 55
  • 1
    To your point about IdentityServer being open-source and implying that ASP.NET Identity is not; the ASP.NET Identity is open-source on CodePlex http://aspnetidentity.codeplex.com/ under the Apache license. But the source code has not been made publicly available yet. It will be in the future. – Kevin Junghans Jan 30 '14 at 14:54
  • 1
    Thanks for the comment Kevin - I intended to make the point that the ADFS 2 code is not open-sourced - which is separate from ASP.NET identity. It's great that ASP.NET identity will be put up on codeplex... – crimbo Jan 30 '14 at 22:13

2 Answers2

2

Well IdSrv does not do Windows authentication out of the box. It would be easy to add forms based authentication for AD users - but Windows integrated (SSO) would be more involved.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
1

IdentityServer is a really good product but:

  • Only authenticates against SQL not AD
  • Doesn't have SAML support - useful for third party integration e.g. SalesForce
  • No rich claims rules language

which ADFS does for you.

@leastprivilege answered the first - the rest are definitely not trivial to add.

Don't have much experience with Office 365 but it sits on top of Azure Active Directory which can be hooked up with IdentityServer - refer Federating IdentityServer with Windows Azure Active Directory.

rbrayb
  • 46,440
  • 34
  • 114
  • 174