search

DuendeSoftware / Support

Support for Duende Software products
21 stars 0 forks source link

ADFS and Azure AD as external providers - technical question #950

Closed miksi10 closed 1 year ago

miksi10 commented 1 year ago

As it was mentioned here https://docs.duendesoftware.com/identityserver/v6/ui/login/external/, It is possible to integrate Duende IdentityServer with another external login providers. I would like to ask some questions about integration with ADFS and Azure AD.

Is there any more detailed documentation about connecting with ADFS and Azure AD, and what is necessary to do on ADFS and Azure AD, as prerequisite for integration with Duende IdentityServer?

Also, are there any limitations in terms of versions for mentioned components (ADFS, Azure AD)?

Is it possible to integrate Duende with ADFS 3, or is necessary to use latest version of ADFS which is 4?

In general, there are not many resources online for this type of integration, so any help would be appreciated. Thank you in advance,

AndersAbel commented 1 year ago

Duende IdentityServer relies on the standard Asp.Net Core features for external authentication.

For integration with Entra ID (formerly Azure AD), you can either use Microsoft.Identity.Web or Microsoft.AspNetCore.Authentication.AspNetCore. Please see Microsoft's documentaiton at https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview?tabs=aspnetcore. Please note that while Entra ID is OpenID connect compliant in single tenancy mode, the common endpoint for multi-tenanted Entra ID applications is not fully standard compliant and requires adaptions for issuer validation.

All versions of ADFS supports the WS-Federation and Saml2 protocols. Microsoft supplies the Microsoft.AspNetCore.Authentication.WsFederation for WS-Federation. Saml2 is available through third party libraries, e.g. Sustainsys.Saml2.AspNetCore2. ADFS from version 2016 and up supports OpenID Connect, which is a more modern protocol. But, my experience is that the OpenID Connect configuration in ADFS is harder to work with than the WS-Fed/Saml2 configuration. It might be better to use WS-Fed or Saml2 for that reason, especially if you are integrating with external customers that control their own ADFS servers. Microsoft has a guide for WS-Fed at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-7.0

AndersAbel commented 1 year ago

Do you have any more questions or can we go ahead and close this issue?