Wednesday, August 26, 2009 3:36 PMI am looking at setting up "Geneva" Server in an environment where we have internal website users that are in Active Directory and external users who are not. For the external users we would like to present a custom login/registration page and to authenticate users against an external users database.
What I've read so far seems to indicate that the "Geneva" Server passive authentication approach only works against Active Directory. I can't see a way to configure it to use any other store of users (other than for providing additional claims once a user has been authenticated).
At the moment, the only solution I can think of is to write a custom STS for authenticating the external users and then setting this up as an identity provider in "Geneva" Server. This doesn't seem ideal. Is there another approach - ideally where I could write a custom login page and have the "Geneva" Server FederationPassive site use this but still issue a token from "Geneva" Server?
Thursday, August 27, 2009 9:23 PMYou're correct - the easiest way to do this is via a custom STS that you then configure as an identity provider for your main AD FS server.
To make the experience more fluid to your users, you can cusotmize the web pages to provide the option to log in for external users. This web page could submit the request to your custom STS, receive a token, and then call the SignIn method on the FaultHandlingWSFederationPassiveAuthentication.
Does this answer your question?
Friday, August 28, 2009 8:26 AM
Friday, January 29, 2010 7:31 PMWe posted a blog post on how to customize the web UI to authenticate a username/password against a different account store. Have a look at http://blogs.msdn.com/card/archive/2010/01/27/customizing-the-ad-fs-2-0-sign-in-web-pages.aspx
You'll still need to throw up an STS that talks WS-Trust, but WIF or StarterSTS should make that process pretty smooth.
- Marked As Answer by Vani Nori [MSFT]Moderator Monday, February 22, 2010 6:37 PM