13 Shades of Claims Based Authentication
With this post I’m going to kick off a series of posts that will cover different topologies in which claims based authentication can be used. We are all familiar with the classic model where the client accesses the application and get redirected to the STS for obtaining the security token. The simplest configuration would have this STS to act both as Resource Provider STS and Identity Provider STS. The next is classic configuration with federation with trusted Identity provider organization. There are many more options on how it all can be configured, all really depends on the specific customer requirements. So I want to try and explorer multiple topologies and record a short demonstration for each of them so you can see what is possible and potentially how it can be done.
Here is what I have currently in mind:
- Client – Application – RP – IDP
- Client – Application – RP – RP – IDP
- Client – Application – RP – RP – RP – IDP
- Introduce Proxy components in the above topologies
- Introduce multiple IDPs in the above topologies
- Introduce different authentication mechanisms in the above topologies (Integrated, FBA, Certificate, PhoneFactor)
- Introduce mechanisms to provide automated HRD discovery
- Introduce IDP initiated sign on
- Introduce UAG as reverse proxy in the middle
- Introduce Azure Active Directory as IDP
- Introduce Azure ACS as middle tier to get authentication via Social identities (Microsoft, Facebook, Yahoo, Google)
As I work on these scenarios I might drop some of them and I might decide to explorer some other topologies that I have not thought about yet. If you have ideas of what would be interesting to explore then let me know and I might try to get it on my agenda.