Re: ADAM - SSO and provisioning considerations

There are other things you might want to consider too. For example, if your
needs for a directory are primarily authorization-related (need application
specific groups and such), you might want to consider using AzMan as the
core of your authorization architecture.

AzMan supports Windows, ADAM and "custom" security principals and gives you
a lot of flexibility there.

Another aspect of this would be to support some kind of a plugin framework
for authentication, where you might ship some default providers (ADAM LDAP
bind, using the existing Windows user's security context, LDAP bind to AD,
SSPI to AD/Windows, LDAP bind to other directory, etc.), with the ability to
allow the customers and third parties to add their own authentication
providers. That way, if you end up needing to support something like smart
cards or RSA SecurID tokens or something, a plugin approach could be used.
Once the user is authenticated, then the user's authenticated identity would
be used to link up to the authorization store.

Another thing to consider is the federated model I talked about in my other
post with ADFS and similar technologies (SAML, etc.). Getting up to speed
on that stuff will probably help you make better design decisions about how
to proceed.

Best of luck,

Joe K.

"Rob Lewis" <roblewis5@xxxxxxxxx> wrote in message
news:1123270284.401018.89860@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Thanks Joe! That's exactly what I needed to know.
>
> As far as account/password sync goes: I agree - not a good solution.
> Especially since it would need to be a custom job for each different
> store / authentication scheme.
>
> That leaves me in a bit of a bind though (no pun intended). If not
> ADAM, then what? :-(
>
> I suppose another way to go would be to go ahead with ADAM, but if the
> customer's identity store is a non-MS directory, then they will have to
> get the accounts into ADAM and live with multiple identity stores and
> all that that involves...that scenario is far better than what we have
> now. And I'm guessing that the majority of our customers use AD.
>
> Thanks for all the advice!
>
> - Rob
>


.

Relevant Pages

  • Re: ADAM - SSO and provisioning considerations
    ... install an OU, do LDAP bind's to AD for authentication, and used some ... The above illustrates why you don't need ADAM. ... store for your identity store. ... they are all in the customer's identity store. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - SSO and provisioning considerations
    ... In this situation, you could use ADAM. ... bind to ADAM and passthrough authentication to AD in order to do the ... You could even leverage the built in Windows SSO stuff this ... they are all in the customer's identity store. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD or ADAM as a user database
    ... This repository should hold all the registrations of people visting a website and will contain names, addresses, user names, passwords, mappings to other back office system references etc. ... Now i've been reading some articles which recommend that LDAP and specifically ADAM would be the best way to proceed instead of basing this on a relational database. ... I think You have read about using AzMan and role based authorization with ADAM under the hood - that's why You've got impression that this is only way to do this. ... If You need to create repository of a users for purpose of authentication and authorization ADAM or AD would be a good tool. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Offloading authorization to ADAM
    ... authorization, what is the application that is requesting the authorization. ... authorization and you want to store the roles as groups in ADAM? ... "user groups have to be returned from ADAM" ... authentication, with this AD part is over. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - SSO and provisioning considerations
    ... and that we are considering packaging ADAM ... we want to enhance the schema (by adding our own security ... "guy who talks to the rest of the world" for authentication. ... some other identity store / authentication mechanism? ...
    (microsoft.public.windows.server.active_directory)