Reputation: 1695
Single Sign-On ASP Identity Securing Multiple applications
I am very new to the single sign-on options available to me. I currently have a requirement to secure multiple application sets within the same product family and have no idea where to start.
Some of the base requirements would be
- User should be able to authenticate once, and based on the credentials user would be redirected to the required application
- A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required
- Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.
- This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record
- Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.
- The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services
I have no idea where to start, I have done a quick read through of something like ADFS https://msdn.microsoft.com/en-us/library/bb897402.aspx, but NO IDEA if this would meet all the listed requirements above.
Any help of pointing me in the right direction would be greatly appreciated!!
Upvotes: 1
Views: 604
Answers (1)
Reputation: 46803
You are confusing two seperate concepts viz:
- Authentication
- Provisioning
ADFS only does the former. You need an Identity Manager (IM) to do the latter.
So:
User should be able to authenticate once, and based on the credentials user would be redirected to the required application
I'll concentrate on the Microsoft world. ADFS and Azure AD can both do this. User --> application --> IDP - authenticates --> back to application
A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required
IM functionality. AAD could do the group assignment but doesn't really have workflows. You can use "Active Directory Users Control" in Windows Server to manually edit AD attributes for use by ADFS.
Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.
IM - needs workflows
This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record
This is both. ADFS 4.0 (Server 2016) can protect web API as can AAD. Deleting roles is IM as above.
Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.
Microsoft has limited social interaction. You can add some social providers using AAD. I use Auth0 and federate as it has tons of social providers. Azure B2C may be of use here.
The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services
For web apps, you can use SAML, WS-Fed, OpenID Connect & OAuth.
For Windows Apps, you can use OpenID Connect & OAuth.
For Mobile & services, you can use OpenID Connect & OAuth. (Note there are four flows to cater for different scenarios).
ADFS 4.0 (Server 2016) and AAD can support all the above.
Upvotes: 1
Related Questions
- ADFS Single Sign-On With Asp.Net Membership
- How to integrate Single Sign-On with multiple ADFS?
- Single sign on for .NET application integrated with Active Directory
- ADFS in asp.net c#
- How to implement single sign on MVC 2 using ADFS?
- ADFS authentication on multiple browser windows
- How to secure an existing Asp.Net project with ADFS
- Multiple Forms Authentication Applications with Active Directory and Single Sign on
- SSO for sharepoint 2010 and asp.net app using adfs
- Single sign on in two applications using windows identity foundation