Exporting users via AD FS
Hi,
I have a local web asp system, that large companies use. I run with local users, in that system. To day, we have been importing users from a security group in the customers Active Directory. That means that we have read access to that security group in the customers AD. Then we have had AD FS integration, and validated users in that manner. And if a user was deleted or deactivated in AD, it would be the same in our system automatically.
However I need to plan a design change, because new customers deny us access directly to their AD. And as far as I see it, AD FS does not support user export ?
I was thinking about making a web service, witch the users via AD FS connects against, and make that web service create the users in my web application user database.
Any thoughts / Suggestions on the subject would be highly appreciated.
BR
LHC
I have a local web asp system, that large companies use. I run with local users, in that system. To day, we have been importing users from a security group in the customers Active Directory. That means that we have read access to that security group in the customers AD. Then we have had AD FS integration, and validated users in that manner. And if a user was deleted or deactivated in AD, it would be the same in our system automatically.
However I need to plan a design change, because new customers deny us access directly to their AD. And as far as I see it, AD FS does not support user export ?
I was thinking about making a web service, witch the users via AD FS connects against, and make that web service create the users in my web application user database.
Any thoughts / Suggestions on the subject would be highly appreciated.
BR
LHC
ASKER
Hi,
I wish to create a solution where the users are created in my local user database automatically. I was thinking on somewhere what Salesforce are doing. I just do know quite where to begin. I'm thinking something about setting up a web server between ad fs and my web server, to take of this.
Powershell is not what I'm looking for, but thanks for the suggestion!
BR
Lasse
I wish to create a solution where the users are created in my local user database automatically. I was thinking on somewhere what Salesforce are doing. I just do know quite where to begin. I'm thinking something about setting up a web server between ad fs and my web server, to take of this.
Powershell is not what I'm looking for, but thanks for the suggestion!
BR
Lasse
AS you export the users.. similarly you can import them in AD using the script.
ASKER
Hi Rakesh,
I do not have access to the customers AD, so I can no export the users. I want to make a web service that automatically takes the users AD FS credentials (based on Claims rules), and create the users based on for example, email adresse, and name+surname in my local database....
BH
Lasse
I do not have access to the customers AD, so I can no export the users. I want to make a web service that automatically takes the users AD FS credentials (based on Claims rules), and create the users based on for example, email adresse, and name+surname in my local database....
BH
Lasse
ADFS alone isn't enough to do this. There is a reason web services require some sort of access direct or indirect. Take Office 365, for example. To use ADFS, DirSync or ADConnect must also be deployed as a REQUIREMENT. It has access to both AD and the local database to sync user account information. You'll find all services that support that level of provisioning use a similar architecture. If Microsoft itself isn't using ADFS alone for its premiere cloud services, it pretty obviously can't be done.
IN that case I'd suggest to use FIM, it would help you in replicate users to another box.
ASKER
Hi ,
Do you have a link to an article about the subject ?
BR
LHC
Do you have a link to an article about the subject ?
BR
LHC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://gallery.technet.microsoft.com/scriptcenter/Powershell-script-to-5edcdaea