Single Sign On (SSO) Scenario - Please Provide Guidance

Question

I have a centralized credentials store that is used for several websites / web-portals.

Each website has its own unique domain and branding specific to one customer.

I want to display a login form on each portal and validate those credentials against the centralized credential store. In addition, I would like to enforce a variety of password policies. For example, a user's password may expire after a certain number of days. Or there may be a requirement to have 8 characters with 1 letter + 1 digit + 1 special character.

I would be OK with redirecting users to a centralized website for the majority of this password maintenance, however I really want to allow for users to enter a username / password on the custom domain for their portal.

I am familiar with SAML and it seems to almost get me there. However, it does not seem to support collecting credentials on the Service Provider.

I would prefer not to come up with an Ad-Hoc solution, but would rather use a standardized solution like SAML that has been rigorously designed by a committee.

I am willing to consider a WIF based solution as well.

Answer 1

I assume your credential store is not AD?

Best plan is to use a custom STS. If you are using SQL Server, have a look at Identity Server. This doesn't support SAML but you can federate it to ADFS which does.

Each application would then use WIF.

On your custom STS, place all the self-service password stuff on your login page.

So everyone will share the same login page on the STS.

If you want the login page on each site, then you can use WIF active profile and connect to the STS login via a web service. But then you have to have the self-service stuff on many pages which is going to complicate maintenance.