Jacques Bronkhorst Jacques Bronkhorst - 9 days ago 5
ASP.NET (C#) Question

Single Sign-On ASP Identity Securing Multiple applications

I am very new to the single sign-on options available to me. I currently have a requirement to secure multiple application sets within the same product family and have no idea where to start.

Some of the base requirements would be


  1. User should be able to authenticate once, and based on the credentials user would be redirected to the required application

  2. A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required

  3. Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.

  4. This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record

  5. Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.

  6. The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services



I have no idea where to start, I have done a quick read through of something like ADFS https://msdn.microsoft.com/en-us/library/bb897402.aspx, but NO IDEA if this would meet all the listed requirements above.

Any help of pointing me in the right direction would be greatly appreciated!!

Answer

You are confusing two seperate concepts viz:

  • Authentication
  • Provisioning

ADFS only does the former. You need an Identity Manager (IM) to do the latter.

So:

User should be able to authenticate once, and based on the credentials user would be redirected to the required application

I'll concentrate on the Microsoft world. ADFS and Azure AD can both do this. User --> application --> IDP - authenticates --> back to application

A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required

IM functionality. AAD could do the group assignment but doesn't really have workflows. You can use "Active Directory Users Control" in Windows Server to manually edit AD attributes for use by ADFS.

Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.

IM - needs workflows

This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record

This is both. ADFS 4.0 (Server 2016) can protect web API as can AAD. Deleting roles is IM as above.

Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.

Microsoft has limited social interaction. You can add some social providers using AAD. I use Auth0 and federate as it has tons of social providers. Azure B2C may be of use here.

The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services

For web apps, you can use SAML, WS-Fed, OpenID Connect & OAuth.

For Windows Apps, you can use OpenID Connect & OAuth.

For Mobile & services, you can use OpenID Connect & OAuth. (Note there are four flows to cater for different scenarios).

ADFS 4.0 (Server 2016) and AAD can support all the above.