I’m looking to integrate with a SSO IdP (identity provider) and trying to understand whether AD can serve that role. I.e., I set up users on AD, users authenticate on a webpage that checks the validity of their password with AD which generates a signed token I can use to log into my app.
Thanks!
Yes, AD can be easily used as an Identity Provider for Single Sign on purpose.
If you're going for it, achieving Web single sign on (SSO) through Microsoft's AD FS (Active Directory Federation Services) would be a good choice.
I'll quote the overview from MSDN Article on Active Directory Federation Services:
Overview
AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.
AD FS is Microsoft's implementation of the WS-Federation Passive Requestor Profile protocol (passive indicates that the client requirements are just a cookie- and JavaScript-enabled Web browser). AD FS implements the standards based WS-Federation protocol and Security Assertion Markup Language (SAML).
... // follow the link shared above for more information.
