I have a SaaS web application that serves several educational institutions. All clients are located in one application / database. The application is currently written in C # for ASP.Net 4 web forms.
Currently, my application uses a local / native database to authenticate / authorize users.
Our customers ask us to support single sign-on, where the client is an authentication provider and my consumer application.
The problem is that clients request SSO through various protocols / mechanisms such as Shibboleth and OpenID Connect. This means that I need - / must create a solution that works with all of these, or at least extensible.
I came across a Thinktecture IdentityServer, which I think can abstract the various single sign-on mechanisms used by my clients and return to my application the requirements-based identification token that my application understands.
I struggle a lot with this concept. Does this mean that my application redirects all authentication requests to IdentityServer, allows IdentityServer to process back and forth, for example, OpenID Connect, and then receives a token from IdentityServer with the information I need about the user? How does the authentication server know the scope of the user (i.e., it knows which client authentication provider should send the user)? Should IdentityServer check for a user in the local local application database? Can IdentityServer handle both SSO and local logins?
Is a separate authentication server a way? It looks like it will be, allowing my application to integrate with a single point (identity server). But there is not much documentation on the Thinktecture IdentityServer, but how to configure it. ADFS may provide a similar solution, but most of the examples there speak with ADFS and Azure.
Finally, I assume that I will still maintain local / native authorization data for each user, since the third-party authentication provider cannot know the specific authorization needs of my application.
Any thoughts or suggestions there?