My organization currently uses it's own custom authentication like forms authentication to sign onto our website. We have a customer that has ADFS setup and wants SSO to our application. Our goal is to provide this to the customer but have an open architecture to permit other customers to do this as well in the future.
My requirements given by management:
- We cannot setup ADFS at our production site nor our own home-grown STS that is separate from our application. We will be relying on the customers to have their own identity provider if they want this and we need our app to directly connect to their IdPs.
- We need to be able to continue allowing our users to use our custom authentication as well as have our clients be able to be identity providers.
- We need to be able to handle multiple identity providers
- We will use a query parameter (?whr=www.customerurl.com/adfs.....) for home realm discovery so we know where to send the user.
- We are going to be accepting claims and specifically the user's email address.
- It would be in our best interest to be able to setup federation or saml IdPs programmatically rather than through configuration. This way we can store info into the db about the user's home realm and deal with them as we need.
So, I've done a ton of research but feel like I am running in circles. For testing purposes, I setup a local ADFS on our test system to simulate it being the customer. I've used this guy's code example in one of our pages and am redirected to our test ADFS server where I can login with my Active Directory credentials. My credentials are authenticated and I'm redirected back to the page but I do not receive the email claim back.
Most examples that I am seeing are either very broad architectural examples or for my application to connect to my ADFS server whereby we would configure our ADFS server to point to multiple identity providers. Management does not want that so that is a no go. Other examples I am seeing are also based on configuration-only which won't work. It's my understanding that WIF is supposed to make things easier but I can't seem to figure it out. I have looked for examples but some code examples I have found are for .Net 3.5 and we are using 4.5.
So, for some questions:
- Is it possible to setup an ASP.Net application to authenticate multiple users against their identity providers without using a local ADFS?
- Is it possible to programmatically check check an IdP for user access without configuration?
- Can I check both SAML and WSFederation providers at the application level using WIF?
- Is the link I referenced going to help me?
- Can you offer any direction that has concrete code assistance for my situation?
Thank you.