0

I have the below problem I try to solve:

There is an MVC web application (AppA) in domain DomA that is configured to use a CUSTOM STS for authentication/authorization.

On the other hand we have a CRM installation in another domain, the MyCRM domain, that is configured to use ADFS (ADFS is in the same domain as the CRM).

What we want to achieve is the AppA to be able to POST data to the Dynamics CRM Web API but we don’t want the users of AppA to re-enter credentials or have any other kind of interaction regarding authentication/authorization with ADFS. The AppA should be able to POST data from both Javascript (client side) and the backend (MVC controller)

How could we achieve the above? What kind of Trust should we establish between the Custom STS of DomA domain and the ADFS of MyCRM domain?

Arun Vinoth-Precog Tech - MVP
  • 22,364
  • 14
  • 59
  • 168
Ricky Stam
  • 2,116
  • 21
  • 25
  • It might be possible to federate your customer STS and ADFS, but I think it is not the right problem. As I see it, your biggest problem is that any JS running on a browser in one domain cannot talk to a server in another domain - that is an XSS vulnerability that you don't want to poke a hole in. – Eccountable Sep 02 '17 at 01:41

1 Answers1

0

You don't need federated identity for back-end (server-to-server) connections. You might want to use Impersonation which permits you to setup a user account that can act on behalf of another user in the system.

Eccountable
  • 622
  • 3
  • 13
  • Thank you for your response, but i can't use Impersonation since every user would have different role and privileges, plus the customer needs which ever action is performed in the CRM to reflect the real user who did it. – Ricky Stam Sep 02 '17 at 13:54
  • That is how impersonation works: even though a privileged service account is executing the action, if you assign the systemuser ID then CRM will behave as though the user was doing it themselves. – Eccountable Sep 02 '17 at 16:43
  • Please note that the client wants to use the Dynamics CRM Web API, in order to be able to call the api from javascript too. None the less i will accept the answer since this is a valid solution to interact with the Dynamics from server side and no better solution was posted. – Ricky Stam Sep 03 '17 at 10:32