locked
How to authenticate a non-Active Directory user in "Geneva" Server

    Question

  • I am looking at setting up "Geneva" Server in an environment where we have internal website users that are in Active Directory and external users who are not. For the external users we would like to present a custom login/registration page and to authenticate users against an external users database.

    What I've read so far seems to indicate that the "Geneva" Server passive authentication approach only works against Active Directory. I can't see a way to configure it to use any other store of users (other than for providing additional claims once a user has been authenticated).

    At the moment, the only solution I can think of is to write a custom STS for authenticating the external users and then setting this up as an identity provider in  "Geneva" Server. This doesn't seem ideal. Is there another approach - ideally where I could write a custom login page and have the "Geneva" Server FederationPassive site use this but still issue a token from "Geneva" Server?
    Wednesday, August 26, 2009 3:36 PM

Answers

All replies

  • You're correct - the easiest way to do this is via a custom STS that you then configure as an identity provider for your main AD FS server.

    To make the experience more fluid to your users, you can cusotmize the web pages to provide the option to log in for external users.  This web page could submit the request to your custom STS, receive a token, and then call the SignIn method on the FaultHandlingWSFederationPassiveAuthentication.

    Does this answer your question?
    Thursday, August 27, 2009 9:23 PM
  • You can hava a look at Starter STS - this should get you started quite quickly.

    http://startersts.codeplex.com

    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Friday, August 28, 2009 8:26 AM
  • We posted a blog post on how to customize the web UI to authenticate a username/password against a different account store.  Have a look at http://blogs.msdn.com/card/archive/2010/01/27/customizing-the-ad-fs-2-0-sign-in-web-pages.aspx 

    You'll still need to throw up an STS that talks WS-Trust, but WIF or StarterSTS should make that process pretty smooth.
    Friday, January 29, 2010 7:31 PM