Reputation: 38527
IdentityServer3 vs Azure Active Directory vs AWS Directory Services
I'm evaluating the above three identity management technologies and wanted to try to find out the advantages/disadvantages and get a sense for when I should be using IdentityServer3 over the other technologies. I have three scenarios:
- Internal MVC Client to Web API
- External Phone Client to Web API
- Internal Web API to Web API
Upvotes: 3
Views: 391
Answers (1)
Reputation: 38527
Brock Allen's Comments:
According Brock Allen, the creator of IdentityServer:
Well, the main thing that differentiates IdentityServer is the ability to customize the entire token service and have control of the user data. SaaS products are very limited in customization because for the most part they don't let you upload arbitrary code to alter or change behavior and they often encapsulate the database of users. On the other hand, this means you have to host IdSvr (which can be cloud hosted) and you need to build a database for your users. So if you need the control, IdSvr is a good choice.
Also, I should note that very often IdSvr is used in conjunction with other identity providers (like ADFS or AAD). IdSvr is deployed in between the apps and the ultimate IdPs, again, usually to allow the customization that the apps need, yet still centralized and consolidated.
My Own Findings
Disclaimer: I looked into this for use by the company I work for, who had existing infrastructure I had to cater to, so the solution I chose is skewed in that direction. Even so I've tried to give an impartial summary of my own thoughts during my research.
Azure Active Directory
Azure Active Directory is a hosted identity solution, so there is far less setup (especially if like me, you discover that you are already using it for Office 365). Out of the box, it provides some very nice features that can get you started very quickly.
The premium version has monitoring and reporting capabilities (Connect Health) so you can see who is logging into your system, it has two factor authentication, an identity management website and Microsoft is monitoring logins (a bit like cloudflare for identity), so it should in theory provide some added security. However, the customization of the UI is very basic, you have to pay for the premium features and using the Azure Portal to do identity management (if you go with the free version) is kind of a pain.
The documentation is pretty good and there are samples on GitHub with Microsoft devs actively monitoring the issues which was helpful. Some links I found useful:
- Documentation Home Page
- Documentation for each flow
- Samples covering every flow
- Introduction Video 1 and Video 2.
- Build Videos 1, 2, 3.
IdentityServer
IdentityServer is the Swiss Army knife of Identity management. It can do everything but does require a small amount of setup and a little more knowledge of the identity space. It can do most things that I listed above and a lot more beyond.
It has to be noted that even if you are using Azure Active Directory, there may still be reasons for choosing IdentityServer which I had not initially considered. For example, if you have more than one source of user data e.g. You are using AD and also a SQL database of users, then IdentityServer can be used to point to both of these sources of user information. In theory it should also make it easier to switch from AD to something else entirely as it decouples things.
The project is actively developed, has code samples for all the authentication flows and you can get answers from the community. Some links I found useful:
- IdentityServer4 GitHub
- Samples covering every flow
- IdentityManager (A separate application for handling users, groups and roles).
- Introduction Video
Authentication Flows
Fact: Security is hard. There are lots of different ways of doing authentication called flows. I put this link here because I found it very useful for understanding them.
(source: azurecomcdn.net)
Summary
I discounted AWS Directory Services as it's very young even though the company I work for uses AWS. We also use Office 365, so I discovered that we already had an Azure Active Directory linked to an on-premises active directory server. Even so, IdentityServer is still a valid contender for reasons I explained above. We are still trialing both solutions...
What you decide to choose depends entirely on the problem you have. Which should you choose? Well, it depends on the number of developers, time, money and effort you can expend setting this up. There is no one size fits all solution. Really, the differences in the two products above are the differences between a SaaS and PaaS solution.
Upvotes: 1
Related Questions
- What is the difference between IAM and Azure AD on the azure cloud?
- Azure AD vs Azure AD B2C vs Azure AD B2B
- Azure AD pod-managed identities vs Azure AD workload identity managed
- ASP.NET Identity vs Azure AD B2C
- Using Azure AD as a identity provider for AWS
- Azure.Identity or Azure.Services.AppAuthentication?
- IAM or AD in azure
- What does IdentityServer4 provide that I cannot get with Azure Active Directory alone?
- Microsoft Azure Active Directory vs WSO2 Identity Server
- Azure AD versus .NET Identity 2