This is more of a random collection of thoughts because earlier today I came to the
conclusion that I need something very similar to Active
Directory Federation Services, except for non-domain users. This is relatively
easy to do; all I need is to create a Secure Token Service with a user store for the
back end.
The simplest approach is to use ASP.NET Membership and Roles with SqlProvider’s wrapped
up by some WIF special sauce. Turns out Dominick Baier already did just that
with StarterSTS.
The problems I have with this is that it’s a pain to manage when you start getting
more than a hundred or so users. Extending user properties is hard to do too.
So my solution is to use something that is designed for user identities… an LDAP directory.
If it’s good enough for Active Directory, it’ll be plenty useful for this situation.
Reasoning
As an aside, the reason I’m not using Active Directory in the first place
is because I need to manage a few thousand well known users without CAL’s. This
would amount to upwards of a couple hundred thousand dollars in licensing costs that
just isn’t in the budget. Further, most of these users probably wouldn’t
use any of our systems that use Active Directory for authentication, but nevertheless,
we need accounts for them.
Also, it would be a lot easier to manage creation and modification of user accounts
because there are loads of processes that have been designed to pull user data out
of HR applications into LDAP directories instead of custom SQL queries.
So lets think about what makes up Active Directory Federation Services. It has
roles that provides:
-
Token Services
-
A Windows Authentication end-point
-
An Attribute store-property-to-claim mapper (maps any LDAP properties to any claim
types)
-
An application management tool (MMC snap-in and PowerShell cmdlets)
-
Proxy Services (Allows requests to pass NAT’ed zones)
That’s a pretty lightweight product when you compare it to the other services in Microsoft’s
Identity stack.
We can simplify it even further by breaking down the roles we need.
Token Services
This is actually pretty easy to accomplish. Refer back to the WIF magic sauce.
Authentication end-point
This is just (well, you know what I mean) a web page login control. We can’t
do Windows Authentication without Kerberos (or NTLM), and we can’t do Kerberos without
Active Directory (technically it could be done, but you’d be crazy to try).
Attribute store-property-to-claim mapper
ADFS can connect to a bunch of different attribute stores, including custom built
stores if you provide assemblies. We only really need to map to a few LDAP properties,
and make it easy to map to other properties in the future.
Application management tool
This would be to manage the mapper and a few STS settings like URI names and certificates.
This, I think, would be a relatively simple application if we designed the configuration
database properly.
Proxy Services
Proxies are a pain in the butt. Useful in general, but we don’t really need
to think about this at the moment.
Some Warnings
There are some things that are worth mentioning. We have to be really careful
about what we create because we are developing a serious piece of the security infrastructure.
Yes, it is for a group of employees that won’t have much access to anything dangerous
(if they need access, they’d be migrated to Active Directory), but nevertheless we
are creating the main ingress point for the majority of our employees. It also
needs to be accessible from the internet.
It may sound like I think it’ll be a synch to develop this system and have it work
securely, but in reality there is a lot that will need to go into it to protect the
network, the employees, and the data this could possibly interact with. It is
tough to develop applications securely. It is far harder to develop secure applications
whose sole responsibility is security related.
Next Steps
The next step is to design the thing. I know how it will exist in relation to
the systems it will be used to provide identity to, but aside from that, the architecture
of the thing is still unknown. With any luck I can accomplish rough designs
tomorrow on the train, on my way to visit family for the holiday.
Better yet, maybe while visiting with family.