Is it a bad practice to put external users in Active Directory?

Question

We have an existing Web application and we want to migrate from a custom authentication solution to Active Directory Federation Services so that our partner organizations can manage the authorization of their users on their side.

Right now the site is using custom database tables to manage users and custom logic to manage authentication and authorization.

In addition to the partner organizations that will authenticate their users and gain access through ADFS, we have internal users who are in our Active Directory domain. These users can also be authenticated through ADFS.

Our question revolves around our external users. This site also allows individuals to register. These individuals don't have any organization for whom they work, so we can't use ADFS to handle their authentication.

Since we need to support these individuals, we need to manage their user accounts.

ADFS can only connect to Active Directory or Active Directory Application Mode account stores.

Since ADFS only supports these account stores, it seems like the logical solution is to create accounts for external users in our Active Directory domain.

This would mean that we'd update our registration pages to create new user accounts in active Active Directory rather than creating new records in our custom database.

So, is this a bad practice? Should AD be used for users external to one's organization? How do others handle this type of situation when using ADFS?

Answer 1

Create a new AD forest for your external users, you might need to set up some better security, but the two can be conencted for seamless authentication.

You'll need to tell them to use a different domain when logging on (eg your normal users use 'mycorp', externals use 'externalcorp') but otherwise it's totally transparent.