Supporting both existing forms authentication login and Federated WebSSO

Question

We are having a hosted web application and it uses forms authentication. This webapplication is accessed by users belong to different partner organizations. Currently users belong to the partner organizations are accessing the application using the credentials that we give it to them.

Now, some partner organizations wants their users to access the application using their active directory credentials. We are planning to use ADFS for these partner organizations, so the users will be authenticated using Active Directory within their network and claims will be sent to the webapp via the Authentication token cookie set by the ADFS. From the claims, we map the users to the internal userIds of the web application.

My questions are , if we make the web application ADFS enabled, 1)Is it possible to still allow the other partner organization users(who don't want to use ADFS) to login to the web application using the existing login page(forms authentication)? 2) Should every page in the ADFS enabled webapp be accessed through https?

Any solutions or pointers would be much appreciated.

Thanks -arul

Answer 1

Your app needs to require claims that describe the user, regardless of where they login from. It should not handle authentication in either case; this should be delegated to a trusted issuer, an STS. This will allow it to interact w/ users in a uniform way irrespective of where and how they authenticate. This means that you're going to need to use ADFS in two roles: that of an Identity Provider (IP) STS and of a Federation Provider (FP) STS. For users of partner companies that don't want to maintain users themselves, you'll be the IP-STS; for those that do, you'll be an FP-STS. In the latter case, ADFS will redirect users from your realm back to the partner's site where their IP-STS will authenticate them and send them to your FP-STS. It will map your partner's user ID and claims into ones that make sense in your realm. This and other information about the user will be included in the set of claims that are issued from your FP-STS. As a result, your app, only trusts your STS regardless of which scenario is appropriate for different users. Note that in this scenerio, there will be two STSs: your ADFS FP-STS and your partner's IP-STS, which may or may not be ADFS. In the other case, there will only be one STS: your IP-STS.

Not every page on your ADFS Web app needs to be accessed via HTTPS; however, everyone that's used in the authentication process should be.

This is really a non-trivial undertaking. If you want to talk about it more, please feel free to get in touch w/ me.