SSO using IdentityServer and Active Directory

0
votes

We have created an SSO solution using IdentityServer4. Our public/affiliated users are authenticated by an account stored in a database and our corporate/internal users are authenticated using their Active Directory accounts.

The problem we're having is that when we host our IdentityServer solution on a DMZ (not on our domain) it cannot access Active Directory (on our domain) to verify a user's login credentials and roles/claims.

My goal is to know the best solution to this problem.

  • Is the best practice to implement Active Directory Federation Services?
  • Do we need to host IdentityServer on our domain so that it has AD access and then create a second application to host externally and call in to our actual IdentityServer?
  • Is there a secure solution our networking team can implement to allow the external server to access AD on our domain (ie: somehow grant AD permissions to the IIS Application Pool Identity)?

At a bit of a loss on what the best practice is here. Not sure if this is a problem for our networking/operations team or for our development team.

Thanks in advance.

1
iisnetworkingoauth-2.0active-directoryidentityserver4
I don't know anything about it, but I've been told you might want to look at Active Directoryy Federation Services... - thebjorn
I'll edit my post to include that, we actually did look it some and are currently researching it further. Our networking team is concerned it may take a long time to implement, but if that's the best solution then we'll move forward with it. Just gathering information right now to see if there are better options or if that is indeed the best solution. Thanks for the input :) - madeFromCode

1 Answers

0
votes

IdentityServer4 supports to deploy UI (Login Pages) as a separate application. So one solution is to have UI in DMZ and other BE server in Domain. In all other cases, you will be providing Database Access to a Server in DMZ (which is not supposed to be best thing).