I wanted to find out if ADFS2.0 provides a way for users to be authenticated with a Custom Store? Version 1.0 you could only authenticate users in the Windows domain, using Forms/Windows Integrated/Cardspace. I have an ASP.NEt website, which I would like the users to be authenticated against a custom store in SQL and then ADFS2.0 to take care of the claims issued to the user...
Asked
Active
Viewed 6,748 times
3 Answers
4
That's not entirely true. While in its default form, ADFS v2.0 only allows you to authenticate against Active Directory, there is a hybrid approach. You can set the authentication type to forms (modify the Web.config file of the ASDFS server in the \inetpub\adfs\ls directory).
Once set to forms, you can actually customize the ADFS signin page (FormsSigninPage.aspx) to do whatever custom authentication you want. Once the authentication passes, the rest of ADFS will pick back up where you left off.
Here's an article showing how to do exactly that: Customizing the ADFS Signin Pages
Glorfindel
- 21,988
- 13
- 81
- 109
Kevin Hoffman
- 5,154
- 4
- 31
- 33
-
This is a good answer, because the documentation is not very clear on the matter. – Frode Stenstrøm May 29 '11 at 18:00
2
(Information duplicated from another answer of mine, since the same answer applies here.)
The solution that is suggested in another answer to this same question is a bit misleading. If you read the actual blog post you see that they add an extra STS. AD FS 2.0 has a 'Claims Provider Trust' for that other STS, and redirects to it (if the 'home realm discovery' is set up correctly). That other STS then performs the authentication in whichever way it likes, sends a token back to AD FS, which then runs its claim rules.
So in that solution it is not AD FS 2.0 authenticating against an alternative store, but redirecting to an STS which authenticates against that store.
AD FS 2.0 itself does not allow authentication against a custom authentication store. (See this answer of mine for the official documentation at this point.)
Community
- 1
- 1
MarnixKlooster ReinstateMonica
- 9,640
- 14
- 54
- 108
1
ADFS 2.0 can only authenticate users in Active Directory. It can retrieve attributes from other stores (SQL, LDAP, custom), but not for authentication.
You might want to look at StarterSTS (http://startersts.codeplex.com/) as an alternative.
Eugenio
Eugenio Pace
- 14,094
- 1
- 34
- 43
-
ADFS can also federate against other IPs like Windows Azure ACS – Frode Stenstrøm May 29 '11 at 17:59
-
3ACS is not an IdP. It;s a "federation provider" and relies on external IdPs for user authentication. However, ADFS can trust ACS to issue tokens. It will not be the last STS in the chain, that is ACS will rely on someone else for authentication (e.g. LiveID, Google, Yahoo!, etc.) – Eugenio Pace Jun 01 '11 at 16:27
-
you are describing the setup we are trying to implement now. So far, the ACS to Google is working and I am excited to see if we can get ADFS in as part of the chain – Frode Stenstrøm Jun 01 '11 at 19:03