My company has written our web applications to use ADFS's Single-Sign On, but we're not using Federation at all - we just let any user on the Internet create their own (low-priv Active Directory) accounts on our DMZ domain (and there are no AD trusts between that and our corporate domain).
Is this a common ADFS configuration? Are there any security concerns I should be paying attention to here?
I've seen a number of these.
The general use case is that it is for low importance applications i.e. the company doesn't grind to a halt if the whole thing is hacked.
Also, it has self-service provisioning / password reset so that the help desk does not have to be involved.
There should no AD trusts to the internal AD and no federation to any internal ADFS.
You could also use Azure AD B2C for this.
