-1

My company is researching implementing an identity server. Essentially we need to act primarily as a service provider, but need to accept claims via either SAML, OpenId and OAuth (I realize this is an authorization protocol) - and then reroute to the appropriate application server using tokens. It's possible that we would act as an identity provider too and make assertions to outside service providers.

So far the servers we are looking into are WSO2 and OpenAM, but are curious as whether there are any other servers that are being widely used.

We'd also like to be able to use something that's written in .NET. The above mentioned servers are both Java.

Any available resources with regards to this question would be greatly appreciated as well as any feedback on whether you've used either of the above servers and what your experiences were.

Thanks!

kickinchicken
  • 1,281
  • 4
  • 18
  • 40

2 Answers2

2

As a SP, ADFS would work but doesn't do OpenID. IdentityServer does OpenId and OAuth but not SAML.

Both do WS-Fed, so you could federate them to provide the best of both worlds.

Both are .NET.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
0

Thinktecture IdentityServer v3 together with the Kentor.AuthServices Owin middleware to handle SAML2P authentication against external Idps fulfills most of your requirements. What's missing with that setup is the ability to act as a SAML2P identity provider (but it's open source, so you can always add it yourself).

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Hi @Anders Abel: If were are a full-out Windows Shop: Why would we need to use OWIN? I really like how Thinktecture looks, but even still think it might be overkill. Basically we only need a very thin layer to parse tokens, and send the claims to our resource server, and those tokens would come via SAML/OpenID or OAuth. We don't require any authorization (role verification etc...) or a data store on the ID server. Essentially it'd just be a gatekeeper to make sure tokens are valid. Would the products you'd mentioned be overkill? – kickinchicken Apr 06 '15 at 16:08
  • In that case it might be better to just find libraries implementing each of the protocols. The Katana/Owin middleware for OpenID and OAuth and the KentorAuthServices middleware for SAML2 would be such an option. They can be used to just get the token, but requires understanding of the [owin external auth pipeline](http://coding.abel.nu/2014/06/understanding-the-owin-external-authentication-pipeline/). – Anders Abel Apr 06 '15 at 16:12