Episerver as a Federated Security Server

Vote:
 

Hello,

More of a high level request for knowledge or if anyone has tried this but we're looking at the potentially of an Episerver solution acting as a federated security server. We've a client who have a number of third party relationships and services who'd eventually like their users to be able to login using their website account - not an immediate requirement but long term goal. 

At the moment most single sign on and federated security documentation and blogs I've seen all seem to deal with being able to log in to Episerver using other services such as Active Directory but I see much less the other way around. From what I can tell one of the vendors supports SAML 2.0 but I don't have details on the others.

I've some experience with allow logins using Active Directory or services such as Google or Facebook, there seems to be plenty examples of these, but none going the other way around i.e. allow third party websites to log users in using their account from your website.

I'm curious if others have had to approach this problem and what there may be in the way of existing solutions or packages, if any, that helped you solve this. Unfortunately due to the similarity in terms much of my searching keeps coming up with the more common scenario so I thought I'd ask the community brain out of curiosity.

Thanks,
Mark

#225327
Jul 13, 2020 11:15
Vote:
 

Hi Mark

If I understand you correctly, you're looking for the IDP (identity provider) setup documentation that are not belonging to Episerver product. Episerver solution can be integrated with most of well known standards(SAML, Oauth, OIDC), but Episerver itself is not IDP (identity provider). 

If you want your website to act as IDP on top of existing memberhip data, take a look of IdentityServer. IdentityServer is an open-source and certificated authentication server that allows you to build identity and access control solutions for modern applications, including single sign-on, identity management, authorization, and API security. 

I hope this is helpful.

/V

#225438
Jul 16, 2020 1:24
Vote:
 

Hi Mark,

Adding to what Vincent already said, look at IdentityServer as your IDP (or some other product) BUT don't make you Episerver website the IDP. Have a separate IDP and make Episerver + the third party apps use the IDP.

Why? There are many reasons but a few:

  • your authentication would be locked to the Episerver website
  • you wouldn't be able to scale-out the IDP without scaling also Episerver (server license count) which might require new licenses for Episerver
  • you would be stuck with the Episerver .NET framework version, can't take the latest .NET Core version of IdentityServer for example
  • what if there is for example a Java implementation of the IDP you would like to use, that you can't implement on the website..
  • the website and IDP have totally different responsibilities so don't put them together
#225474
Edited, Jul 17, 2020 7:39
Vote:
 

Hi Mark

As a central customer authentication service, you could use something like Azure AD B2C, Auth0 or Okta. Style the login page like the website, so few people notices the difference.

Then your client can use this authentication service for both Episerver and third-party services.

The users will think they login using their "website account", but it will not actually be managed in Episerver.

#225505
Jul 18, 2020 9:52
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.