6

I need to implement a company website that would be accessed from the outside of the company. It is required that the users are able to login with the same credentials as they access the company network (Active Directory). I initially thought of using ADFS but it seems that I can't access information about other users. I need to be able to list other users, get what groups they belong to, etc. It is also possible that I might have the need to modify information about users in the server.

I have no experience with anyting related to Active Directory. Is using LDAP directly with custom authentication a better alternative? Any advice or corrections?

Simon East
  • 1,514
  • 1
  • 15
  • 18
d0001
  • 329
  • 1
  • 3
  • 7

1 Answers1

8

Active Directory Federation Services (ADFS) is primarily concerned with authentication. It is not a metadirectory and can't be used to return generalized information from Active Directory.

Accessing the Active Directory through LDAP is probably the direction you want to go, as it allows you to both query the attributes of user accounts (and other objects). Be aware that correctly interoperating with a complex AD forest (particularly one with Forest Trusts) is not a trivial thing. If you're developing an internal use application that will always be running in a single-domain environment you won't have to contend with such complexity. If you're looking at building a product for sale, however, you'll do well to learn quite a bit about Active Directory and the its complex types of deployments. (I've worked with quite a number of products that claim "LDAP integration with Active Directory" only to find that they fall to pieces when dealing with a fairly common configure such as a multi-domain environment. Don't even get me started about the bad support for multi-forest environments...)

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331