What's the best approach to SSO with internal AD users and external users?

Question

We have a web application (asp.net mvc 3) that should support SSO for internal uses via AD. We also have a large community of external users that we want to have SSO for all of our web applications. for example: external_user1 accesses webappA, webappB and webappC all with the same login. Also, domain\user1 has access to all three webapps. we plan to use WIF and ADFS 2.0.

We don't want to have AD accounts for all of the external users so, in the past we might have tried a solution with ADFS 1.x and ADAM. however, we're on Windows Server 2008 R2 and ADFS 2.0 cannot use AD LDS (successor to ADAM) to authenticate users.

What is the SSO approach (using microsoft products)?

Answer 1

The key question is whether you can leverage external_user1 account store or not. If you can, then you would just need to add another trust relationship between your ADFS and their STS and you are done! That approach would be ideal, because then you would not need to maintain external_user1 anymore. Essentially this:

If you can't leverage ther user accounts, then you can still use ADFS v1.1 and have a trust with yourself:

Answer 2

Could you not create a custom STS that does allow authentication against ADAM and that has a trust relationship with ADFS v2.0?

Answer 3

In addition to Eugenios answer, you should investigate Microsoft Azure ACS. This will give yo you federation of Gooogle, Facebook, Yahoo and other OpenId providers.

Your authentication chain will look like this:

Your App -> ADFS -> Active Directory or Your App -> ADFS -> ACS -> Google.

Search for the ADFS tag in this site, and you will find many relevant posts.