Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it a bad practice to put external users in Active Directory?

We have an existing Web application and we want to migrate from a custom authentication solution to Active Directory Federation Services so that our partner organizations can manage the authorization of their users on their side.

Right now the site is using custom database tables to manage users and custom logic to manage authentication and authorization.

In addition to the partner organizations that will authenticate their users and gain access through ADFS, we have internal users who are in our Active Directory domain. These users can also be authenticated through ADFS.

Our question revolves around our external users. This site also allows individuals to register. These individuals don't have any organization for whom they work, so we can't use ADFS to handle their authentication.

Since we need to support these individuals, we need to manage their user accounts.

ADFS can only connect to Active Directory or Active Directory Application Mode account stores.

Since ADFS only supports these account stores, it seems like the logical solution is to create accounts for external users in our Active Directory domain.

This would mean that we'd update our registration pages to create new user accounts in active Active Directory rather than creating new records in our custom database.

So, is this a bad practice? Should AD be used for users external to one's organization? How do others handle this type of situation when using ADFS?

like image 597
Bret Walker Avatar asked Feb 06 '09 13:02

Bret Walker


People also ask

Is Active Directory still relevant?

The truth is that for most cloud forward, heterogeneous IT organizations, Active Directory just isn't relevant anymore. The positive news is that there is a new generation of technology called Directory-as-a-Service® focused on solving a number of these Active Directory shortcomings.

What are 3 main advantages of Active Directory?

The Top 3 major benefits of Active Directory Domain Services are: Centralized resources and security administration. Single logon for access to global resources. Simplified resource location.

How do I add an external user to Active Directory?

Sign in to the Azure portal with an account that's been assigned the Global administrator, Guest, inviter, or User administrator role. Under Azure services, select Azure Active Directory (or use the search box to find and select Azure Active Directory). Under Manage, select Users. Select New guest user.


1 Answers

Create a new AD forest for your external users, you might need to set up some better security, but the two can be conencted for seamless authentication.

You'll need to tell them to use a different domain when logging on (eg your normal users use 'mycorp', externals use 'externalcorp') but otherwise it's totally transparent.

like image 196
gbjbaanb Avatar answered Sep 28 '22 07:09

gbjbaanb