We are developing a web application to be hosted on our network, but the client wishes us to 'sync' with their (remote) active directory.
Basically, they would like to sign on to our web application using their AD credentials.
The key point is that the web application (ours) and the AD directory (theirs) are on two totally separate and disconnected networks.
What tools and/or strategies do you recommend to provide this service?
Our web application is c#/IIS.
This scenario is one of the main scenarios supported by Windows Identity Foundation (WIF), provided they can expose their AD as a security token service (STS). They can do this using ADFS 2. The general approach is called identity federation. WIF integrates extremely well with ASP.Net.
There is lots of documentation on the web about WIF and identity federation with ADFS 2. For example, try this and also the documentation for the WIF SDK and Visual Studio tools.
As I posted here...
My understanding is that there are three possible solutions:
Installing something on the domain controller to capture all user changes (additions, deletions, password changes) and send updates to the remote server. Unfortunately there's no way for the website to know the initial user passwords - only new ones once they are changed.
Provide access for the web server to connect to your domain controller via LDAP/WIF/ADFS. This would probably mean opening incoming ports in the company's firewall to allow a specific IP.
Otherwise, bypass usernames/passwords and use email-based authentication instead. Users would just have to authenticate via email once every 3-6 months for each device.
I have to begin implementing this for an upcoming project and I'm seriously leaning towards option #3 for simplicity.
