Reputation: 305
IdentityServer3 + Active Directory + Self-Hosted User db
I'm trying to find a solution to handle authentication on my new application, and I like the approach of IdentityServer3. I would like to hope my requirements are met by IdentityServer3 and it's just my lack of understanding due to my newness with the technology.
My requirements are as follows, and in order of desired execution: 1) If a user requesting authentication is a local (domain) user, they should be authenticated automatically using Active Directory. 2) If a user requesting authentication is not found in Active Directory, they should be authenticated against our own User table. 3) If a user requesting authentication is in neither Authority, we may choose to grant access via Google or Facebook credentials, but that's not a Phase I requirement.
I currently have a working proof of concept using IdentityServer3 as a standalone security server pulling records from the InMemoryUsers, InMemoryClients and InMemoryScopes, and I'm fairly sure I'll be able to expand on those concepts for pulling from our own database.
This problem comes when I try to use Active Directory as the first checkpoint.
I've looked at a couple of resources in an effort to accomplish the Active Directory, but I'm getting all tripped up as I'm not seeing any concise demo that shows the AD piece of the puzzle.
TJ Robinson has a Gist of an ActiveDirectoryUserService that implements IUserService, and that looks to be the most promising, but because of my n00b status, I can't seem to figure out how to roll it into the scheme.
I would really appreciate any suggestions, and, perhaps, links to examples of how to do AD authentication first with a fallback to local authentication.
Thanks in advance, Ric
Upvotes: 3
Views: 1904
Answers (1)
Reputation: 1319
In regard to your first requirement...
I believe you should examine the Windows Authentication Service. This is essentially a mini security-token-service that can work as an external identity provider to IdentityServer to provide Windows Authentication (over the WS-Fed protocol).
If you follow that link to the GitHub page, you will find two links to samples that can you get started with this component. One sample has both Identity Server and the Windows Authentication Service hosted separately and the other sample has them hosted together.
A separate option could be to use ADFS (if you have one) as an external identity provider.
Those samples include a custom user service (ExternalRegistrationUserService) that shows those windows users being mapped to an in-memory collection of users (in Identity Server). Your requirements will obviously demand a different implementation of that user service, but I hope this might help get your started with the Windows Auth part.
When I went through this exercise recently, I found a lot of good information in the closed IdentityServer3 issues (for windows auth). Lots of good info on Stack Overflow as well; good luck!
Upvotes: 3
Related Questions
- IdentityServer 4 with Active Directory on Premise
- ASP.NET MVC+API and WCF with claims-based authorization and authentication against a custom DB and active directory
- How to properly authenticate user against Active Directory?
- IdentityServer3 Authorize in custom MVC controller in identity server application
- IdentityServer authentication for admin application in the same host
- ASP.Net MVC with Active Directory Authentication using Owin Middleware
- Authentication SQL + AD Users
- ASP.Net MVC Alternative Login to identity
- Setting up IdentityServer wtih Asp.Net MVC Application
- ASP.NET Identity + Windows Authentication for Intranet Site