Identity Management and SSO for ASP.NET MVC

Question

I am currently evaluating possible Identity Management (IdM) solutions that enable single user identity store and SSO across applications.

I am leaning heavily toward Thinktecture IdentityServer v2, but I am not able to validate that all of the following requirements can be met with it.

I am also familiar with and have used the MembershipReboot project as a replacement for the ASP.NET Membership Provider. I like it that MR provides a lot of the self-serve and pwd mgmt requirements I'd need, but I don't fully understand how this would "fit in" with IdentityServer - and by that I don't mean the actual implementation of the I*Repository interfaces, but rather from a high level architecture.

Would someone tell me which of the following are (or are not) possible with it, and perhaps provide other options that may better address these requirements?

Support for ASP.NET (WebForms and MVC)
Maintain central user identity store
Self service password management
Password policy configuration
Ability to authenticate both AD users as well as user in SQL store (centralized) store (forms) - this means we want to have some internal users (AD) and some custom (forms/sql) users in the same application
Customization of pages (e.g. login, self service, etc.)
Roles/Claims management specific to each application (I know this is Authorization, not Authentication, but I need to understand how to manage app-specific claims related to central user identities)
Permissions management (not sure if this should this be in app, or centralized)
SSO across different domains
Support for token standards like SAML 2.0, JWT, WsFed
Open Source, or Low Cost
Extensible (lower priority)

Any suggestions/recommendations or comments based on the above requirements?

My understanding is that Thinktecture is about to release a new v3 of Identity Server that is more in line with Membership Reboot. — Erik Funkenbusch, Apr 02 '14 at 16:09
I am not sure about jwt. Other requirements seem to be fulfilled with thinktecture's server. — Wiktor Zychla, Apr 02 '14 at 16:27
@WiktorZychla It looks like it does multiple tokens including JWT. If you have any more specifics, in particular around the roles/authorization and customization requirements, that would be helpful. — Thiago Silva, Apr 02 '14 at 16:53
I am not sure if you can issue different claims for different apps. Login page can be customized. — Wiktor Zychla, Apr 02 '14 at 17:21
@WiktorZychla Yeah...I am not gonna spend cycles building an STS...that's just reinventing the wheel. I am not in the security software business, I just need to implement an STS as the IdM solution for a big project, in order to support SSO requirements. — Thiago Silva, Apr 08 '14 at 19:13

score 1 · Accepted Answer · answered Apr 04 '14 at 22:26

1

If you're using IdentityServer then you're doing single sign-on. This means your app can be any tech as long as you have a library that can handle whatever protocol your IdP supports. IdentityServer v2 supports WS-Fed primarily for browser-based applications. IdentityServer v3 will first be focused on OIDC (OpenID Connect) but will eventually also support WS-Fed.

MembershipReboot is an identity management library. This means it stores things like passwords and other identity data for your users. It can be used by both IdentityServer v2 and v3.

Most, if not all, of the things you list can be achieved with either platform. Some will require custom coding on your part.

IdentityServer v3 will be in alpha very soon.

answered Apr 04 '14 at 22:26

Brock Allen

7,385
19
24

1

thanks! So to clarify, would I be implementing MR in the IdSrv app, or in my own MVC app? Which reqs do you say will need custom coding? I'm just a bit fuzzy on how the 2 work together – Thiago Silva Apr 06 '14 at 01:03
1

If you want your app to manage user identity data then you'd use MR in your app, but you wouldn't be designing for SSO. If you want SSO then you want to centralize that part (which is IdSrv) and it can then use MR to manage those identities. – Brock Allen Apr 07 '14 at 22:35
1

Thanks again, Brock. Is it common for people using IdSrv to modify its code base to customize it for branding, as well as to add self-service screens, like pwd resets, customized user management, etc.? I setup IdSrv w/ MR on a test VM, and it works, but the web site doesn't expose most of the features of MR that I would want to leverage. I get the under the hood replacement of the repository interfaces, but that's just the tip of the iceberg of how I'd want to integrate those 2 projects. – Thiago Silva Apr 08 '14 at 19:11
so, if the RP app, which is a SaaS, has requirements to provide some level of user management to each tenant (tenant admin), would that be new screens added to the STS (IdSrv), or new screens in the RP and leveraging some API to pull a list of users, and to add users, etc.? – Thiago Silva Apr 14 '14 at 19:07
@BrockAllen , can you please help me by sharing your thoughts about this question [SSO using Identity Server with SAML 2 with other Identity Providers](http://stackoverflow.com/questions/40180385/sso-using-identity-server-with-saml-2-with-other-identity-providers) – Hussein Salman Oct 24 '16 at 18:42

Identity Management and SSO for ASP.NET MVC

1 Answers1