Questions about chained authentication, adaptive risk, OpenAM/OpenSSO

[thomastvedt]

Hi.

I have a few questions about IdentityServer (I don't know if this is the right place to ask?)

First some background: Today we're using OpenAM as identity provider, and another OpenAM as a service provider. Our .NET-applications communicate with the service provider using custom-built HttpHandler. The sP redirects to the idP wich is located elsewhere (out of our control). The idP returns a users birthnumber and securitylevel (this is a national service, and every citizen in norway can sign in here). Our sP pass-trough birtnumber and securitylevel-claims from idP to our .NET-application (using built-in functionallity in OpenAm). We also have a custom developed PAP-module(post-authentication-processing-module) developed in Java for OpenAm wich applies some custom attributes to the token from a database before it's returned to our .NET-applications..

What we want:

• a central authenticationserver/service located at our company wich can be used by all our future applications.
• Use standard .NET-libraries to talk to our central authenticationserver (WIF)
• Create a webapplication where users can apply for access, and approve access. Everyone in Norway can log in, but when they try to access an application, they get a form "request permission to this application".
• chained authentication on intranet. SSO if employee is at work, and fallback to other login-methods if AD is not available
• Use Microsoft-tecnologies as far as possible

Questions:

1. Have you tested IdentityServer agains OpenAM/OpenSSO?
2. Does IdentityServer support or plan to support chained authentication? (This is a nice feature in OpenAm). If not, would it be hard to implement?
3. Does IdentityServer support/plan to support adaptive risk? For example: a user can log in with AD and gets readaccess, but if the user wants to edit he is requested to provide additional login-information (sms, or similar)
4. What dou you mean when you say that IdentityServer has "Out of the box integration with ASP.NET membership, roles and profile"?
5. We are currently considering IdentityServer, ADFS2.0, and OpenAM as our serviceprovider/STS. Do you have any thoughts on wich solution would fit our needs?
6. I've tried to connect to OpenAM using WIF (without success), do you know if anyone has accomplished this before?
7. You're having a claims-workshop in London at NDC, does it include pizza?

-Thomas

[thomastvedt]

I realize that this was a lot of questions at once..What I really want to know the answer to is question 2. Any thoughts? :-)

[brockallen]

1. i have not
2. we support ws-federation and the federation gateway pattern
3. not currently, but the code is open source :)
4. this means you can use the membership system for your backing identity store and for validating credentials
5. no idea
6. no idea
7. no idea