We have an ASP.NET MVC website that a customer is requesting Active Directory single sign on. My thought is that we will need something behind their firewall in order to send encrypted credentials or a user's ID over to our server... any best practices or 开发者_开发知识库products that do this would be extremely helpful!
Edit:
We are trying to make this as secure, seamless, scalable (we will have more than one client doing this), and as cost-effective as possible. Originally, I thought that we may have to have some sort of appliance which merely does the logging in by reading their AD credentials and once this is achieved it passes onto the live web application on our server...
Ways I've seen this accomplished in the past is to have a VPN set up so the web server and their Active Directory can communicate over a secure connection. A dedicated connection between sites is better as VPNs can be flaky/unreliable for consistency. If the connection speed between the physical locations isn't that great, I'd look at making use of a read-only domain controller on the same network as the web server. Again, using a VPN/dedicated line for it's its connection back to the domain. I'll gloss over the details of what's all required for that as that's better answered on Server Fault
As long as the web server can communicate with their domain controller, you shouldn't have to do too much else besides changing configuration to point at their domain information.
We ended up creating a solution using OpenID. The client opens port 80 of their firewall and we display a login page (OpenID IdP) which establishes a secure connection with our OpenID RP located on our server.
精彩评论