Within our organization, our applications are registered as RP’s to our organizational ADFS server, which is v2. Traditionally, apps in the org have been built as single, monolithic apps using WS-Federation (passive authentication). Web API’s, also hosted within each app, are secured simply by the fact that the same FedAuth cookie is being sent over the wire when making the ajax calls from the app’s client-side code in the browser.
We are moving towards building a set of backend Web API’s, which we want to secure so that these are callable by any client, not just a web browser and not just by the hosting application itself. As such, we want to move towards using JWT tokens for these Web API’s. We've also started using ThinkTecture's IdentityServer (v2) to help in this regard.
We have just a few questions which I'm hoping the community can help provide us with some answers/pointers:
- How should we configure IdentityServer and apps so that the apps use the existing organizational ADFS login page?
- How can we configure/integrate ThinkTecture IdentityServer v2 with the organizational ADFS so that our API's can be secured using JWT tokens but without forcing the user to provide their credentials again (once they have a SAML token via WS-Federation)?
- Are there any features in IdentityServer v3 which are compelling enough to upgrade from IdentityServer v2 to v3?
