ASP.NET Web Api security using Active Directory

Question

I've searched the posts and have not found exactly what I'm looking for pertaining to my question. For example Security ... through AD asks more the question is it wise? My question is this:

We are implementing WCF applications and we are now putting WCF ... I mean ASP.NET Web Api ;) into our server stack. I want to secure the services by requiring that the user log on to ADS, but if they already have logged on (via network login or other means) then I don't request a login. Rolebased authorization then occurs within the services.

I cannot find good discussions or examples of how I handle ADS authorization especilly through all of the future endpoints (tablet and phone).

My one thought was that the user does a login to ADS and the token then becomes what gets handled for security and rights. So now I'm a little bit concerned about how much coding has to be done to accomplish this. We are looking at FederatedServices to handle this in WCF but there is no such control in this weak API.

So I'm interested in any input or direct me to a great article on this. So far all I see is self-rolled security which our old server has and I do NOT want that crap again.

Oh yes, did I mention our target is single signon throughout our web services??? :)

Answer 1

Best place to start is Dominick's Thinktecture Identity for Web API. It is the de-facto security framework for Web API and supports token based identity.