The first scenario we are working is using ACS as a federation provider. This is an extension of the current chapter on Federation.
The basic scenario is the following:
Note: This flow is really the “unwinding” of the process that starts when Rick browses a-Order. Everything really starts there (look for WS-Federation “passive profile” for more info), but conceptually that’s what’s happening.
Let’s imagine now that Adatum does business with other partners (smaller companies than Litware maybe) that do not have any identity infrastructure of their own. Let’s imagine “Mary Inc” is a a very small busniess owned by Mary, and she essentially works from home. Mary is probably not going to have AD under her desk.
What are the options for Adatum if they wanted to open a-Order to customers like Mary?
This is essentially deploying an Identity Provider (with its corresponding user database) for partners. Mary would get an account with Adatum and she would sign on with the Adatum provider credentials.
They can implement it in various ways: use ADFS V2 with a separate AD, use ADFS v1.1 with ADAM, use a custom STS with ASP.NET Membership (e.g. the StarterSTS or similar), write their own (a fun project indeed).
However, there are quite some disadvantages in this approach:
This would be just great, wouldn’t it? Riiiiight…. I’m just kidding, please don’t attempt this.
Mary is on Facebook (sometimes too much). Mary has a Hotmail account. Mary uses Google Docs. Wouldn’t it be great to simply use one of these? Yes, it would be great. How do we make that happen?
The answer is simple: make Adatum’s Federation Provider trust all those identity providers, just as they did with Litware:
Conceptually this is all fine, but it would be too easy,
The only issue is that often, all these providers implement different protocols and token formats: OpenID and OAuth and SWT, etc. So Adatum’s FP would have to understand all these protocols and formats and translate them into the ones a-Order understands (SAML & WS-Federation). If Adatum deployed ADFS as their FP this means that it can deal with WS-Federation, WS-Trust and SAMLP protocols and SAML tokens. Anything else requires extensions, development or additional infrastructure.
The good news is that all this supported out of the box by ACS! And the solution would look more or less like this:
Adatum reuses all the internal infrastructure that they’ve invested in already. The setup of all this would probably take hours (or minutes even) as opposed to weeks or months. Adatum can rely on an highly scalable, secure, proven, global service as opposed to rolling out their own.
Using a cloud service means less control though. Adatum will have to trust (beyond the identity meaning) Microsoft to run this for them. They will also have to rely on any of the 3rd party identity providers to authenticate the users. If Facebook is down for whatever reason, then Mary will not be able to access a-Order. But I guess that if Facebook is down, the world has bigger problems, right?