SSO with OAuth 2 and IIS

Hi All,

I am looking at the possibility of integrating a third party product within an existing infrastructure that uses SSO via OAuth 2.0.
My knowledge of the MS ecosystem is limited but my initial investigation is leading me towards the use of Active Directory Federation Services (ADFS) 3.0 as they should be supporting OAuth 2.0 out of the box (Windows Server 2012 R2).
However, it is not clear to me how exactely ADFS should be used. All the documentaion I found is about setting up AD as an Authorization Server while what I am trying to do is to have IIS use an exising OAuth server (Java based) to implement SSO.

Any pointers and/or suggestions would be greatly apreciated.

Regards,

Alessandro
fhiosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
oauth is mainly authorization centric guarding the resources hence you tends to see ADFS as a Authz server. In fact, ADFS serves as the identity party (IDP) issuing the required claims in token (for auth) as well as auth code (for authz in the case of oauth). In short, AD FS includes a federation service role service that acts as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS). It provides  access to systems and applications by using a claims-based authentication and access authorization mechanism to maintain application security.

You then need to establish the authenticate part for SAML token and authorization part using the oauth. you need to make sure the authentication part is done before going into the oauth (authz part). Do catch the article and its links to msdn for the IDP and RP. Below I do a quick lifecycle flow...just for info
http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

Such info is used by client to always furnish when it attempts to get any resource from trusted relying party, which is your 3rd party resource provider (RP which can be web app, web resource hosted in server etc) protected for access by IDP, the resource is granted by RP only if it sees that the access token (generated by IDP upon client giving the auth code received earlier from IDP)...

.This is a typical cycle and repeats on each resource attempt and since you are looking at SSO, likely a session cookie or application specific cookie will be used for the seamless login till the cookie expired.... This article has good info on the oauth
http://blogs.technet.com/b/askpfeplat/archive/2014/11/03/adfs-deep-dive-comparing-ws-fed-saml-and-oauth-protocols.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.