Re: Active Directory authorization

AD should be fine as a source for authentication for your web service. The easiest way to use AD for authentication is to just use the transport layer authentication schemes built in to IIS (basic, integrated, digest, client certs). I'd suggest that as a going in position as it works well with a broad array of different clients and does not require support for message layer security or any other WS-* specific features.

For app level authorization, I'd suggest checking out Microsoft's Authorization Manager (AzMan) framework. It is a powerful role-based security mechanism that has excellent principal mapping support for AD security principals (users and groups) and can work with other principal sources as well (ADAM, ADFS, etc.).

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"faanyan" <faanyan.3kc7nf@xxxxxxxxxxxxx> wrote in message news:faanyan.3kc7nf@xxxxxxxxxxxxxxxx

Hi, I'm doing a project about single authentication and authorization
using Web Service and Active Directory.
The main idea is that any application in an organization should adapt
themselves for using my Web Service in
parts of authentication to use only one users' identity for a user for
every applications.
The users' identities are kept in AD and used by the Web Service.

Another part is authorization.
Now, I designs that the service provides methods for application
registration so that the applications can register to the service and
that the service manages publishing the applications into the AD. The
application developers also has to grant privileges for an application
to groups/roles of users via the service. This can authorize users who
access applications.

Moreover, I want to do central authorization in a deeper level, the
business logic level of the applications. I want my service, whose
authorization core is on AD, to be able to control users using internal
processes of an application like the way GPOs work with Windows. I
wonder if it's possible? Maybe done by controlling some libraries in
NET Framwork for .NET applications or something like that (I wonder if
AD has such features)?


--
faanyan
------------------------------------------------------------------------
faanyan's Profile: http://forums.techarena.in/members/faanyan.htm
View this thread: http://forums.techarena.in/active-directory/1086810.htm

http://forums.techarena.in


.

Relevant Pages

  • Re: SSO advice
    ... > applications that the user has authorization. ... > Authentication on IIS is the most effective way to authenticate the user. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Active Directory authorization
    ... I'm doing a project about single authentication and authorization ... using Web Service and Active Directory. ... every applications. ...
    (microsoft.public.windows.server.active_directory)
  • Active Directory authorization
    ... I'm doing a project about single authentication and authorization ... using Web Service and Active Directory. ... every applications. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSO advice
    ... You can do both Windows Integrated aith and forms auth if you want. ... Basically, the main site is forms authentication, it has a "sub-site" within ... > applications that the user has authorization. ...
    (microsoft.public.dotnet.security)
  • SSO advice
    ... applications that the user has authorization. ... Our research has led us to the conclusion that using Windows Integrated ... Authentication on IIS is the most effective way to authenticate the user. ...
    (microsoft.public.dotnet.security)
Loading