4

This is a follow up to my question on ASP.NET MVC / Web API Custom Authentication. The answers I was given told me to investigate claims-based authentication protocols and I've been reading through the following book to try and gain a better understanding of Microsoft technologies that will allow me to do this.

According to the linked book, you can use Active Directory Federation Services (ADFS) 2.0 to issue claims. What isn't clear is whether the users are required to be stored in Active Directory. Let's say I have an existing legacy application which handles authentication and in which user information (username, password, email, etc.) is stored in an Oracle database (as per my previous question), can I still use ADFS to issue claims or will I need to build my own claims issuer (STS) into this existing application?

Given the Active Directory in Active Directory Federations Services it would seem that having the users stored in AD is a requirement but the book also has the following image

ADFS Issuer

and also this

ADFS requires users to have an account in Active Directory or in one of the stores that ADFS trusts.

which is adding to my confusion. Can someone help shed some light on this?

Community
  • 1
  • 1
Bart Jedrocha
  • 11,450
  • 5
  • 43
  • 53

2 Answers2

0

You can use an ADFS Attribute Store and then create a Claims Provider Trust that has claim rules that query the attribute store. This post has someone using a SQL attribute store to SQL and then a linked server to Oracle. There's also a recommendation to use a custom attribute store and query Oracle from it. I've used both types of stores and it's maybe a bit of a question of what do you want to manage and maintain over time, code or SQL. I may lean towards the custom attribute store.

http://social.msdn.microsoft.com/Forums/vstudio/en-US/3418078f-1bb5-4f5f-9d6e-6907d0222600/using-an-oracle-database-as-an-attribute-store?forum=Geneva

Gilligan
  • 451
  • 1
  • 5
  • 14
0

In ADFS 2.0, 2.1 and 3.0, it is mandatory to have users in Active Directory for authentication.

Once authentication is performed, ADFS can retrieve user information from any sources to create the token; these sources are called "attribute stores". As shown in your diagram, ADFS provides attribute store for AD, ADLDS and SQLServer. If you need to access other systems such as Oracle, you'll have to build a custom attribute store (there are examples on technet on how to do this).

Note: in the upcoming version of ADFS on Windows Server 2016, you'll be able to authenticate users in any LDAP store.

Matthieu
  • 806
  • 8
  • 12