We have an existing Web application and we want to migrate from a custom authentication solution to Active Directory Federation Services so that our partner organizations can manage the authorization of their users on their side.
Right now the site is using custom database tables to manage users and custom logic to manage authentication and authorization.
In addition to the partner organizations that will authenticate their users and gain access through ADFS, we have internal users who are in our Active Directory domain. These users can also be authenticated through ADFS.
Our question revolves around our external users. This site also allows individuals to register. These individuals don't have any organization for whom they work, so we can't use ADFS to handle their authentication.
Since we need to support these individuals, we need to manage their user accounts.
ADFS can only connect to Active Directory or Active Directory Application Mode account stores.
Since ADFS only supports these account stores, it seems like the logical solution is to create accounts for external users in our Active Directory domain.
This would mean that we'd update our registration pages to create new user accounts in active Active Directory rather than creating new records in our custom database.
So, is this a bad practice? Should AD be used for users external to one's organization? How do others handle this type of situation when using ADFS?
The truth is that for most cloud forward, heterogeneous IT organizations, Active Directory just isn't relevant anymore. The positive news is that there is a new generation of technology called Directory-as-a-Service® focused on solving a number of these Active Directory shortcomings.
The Top 3 major benefits of Active Directory Domain Services are: Centralized resources and security administration. Single logon for access to global resources. Simplified resource location.
Sign in to the Azure portal with an account that's been assigned the Global administrator, Guest, inviter, or User administrator role. Under Azure services, select Azure Active Directory (or use the search box to find and select Azure Active Directory). Under Manage, select Users. Select New guest user.
Create a new AD forest for your external users, you might need to set up some better security, but the two can be conencted for seamless authentication.
You'll need to tell them to use a different domain when logging on (eg your normal users use 'mycorp', externals use 'externalcorp') but otherwise it's totally transparent.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With