I’d like a website that company users can log into with their AAD logins, AND customers can log in with their social networks.
I follow the new web project procedures to create an MVC5 site and change authentication to "organisational accounts", set up AAD in Azure, all works fine.
I can also follow the "individual user" route and set it up to successfully use Facebook, Twitter, etc.
But no combination of the two.
I’ve had a good search for the answer, but can’t find how to extend the AAD solution to also use the ‘other provider’ solution.
This is the closest I’ve found, but
I’d prefer not to delve into GraphAPI if avoidable, or use any other solution/service like Identity Server.
Anyone faced the same scenario?
What’s the simplest solution? A separate site that takes successful social login and creates/loads an AAD user?
I just want to get on with application development, not embroil myself in authentication issues, so I’m hoping someone has done similar, and can save me a lot of new learning of GraphAPI or Identity Server.
Sounds like you need an external identity provider to manage this stuff for you. Since you’re not interested int he details, then I’d suggest a hosted solution and since AAD doesn’t do social, then perhaps look into Auth0 (https://auth0.com/)
as an "identity as a service".
Thanks for the reply BrockAllen, but like I say, I’d really prefer not to use a separate solution.
Both Visual Studio solutions solve both problems, I’m just trying to combine them.
I’m hoping to find a simple Microsoft solution, and as an MVP I’m hoping you may be able to find the right people to ask, what is the Microsoft way…
Can’t a social login simply be combined to create/retrieve an AAD user?
PedroTester
Can’t a social login simply be combined to create/retrieve an AAD user?
No, this is not supported today.
Can our WAAD be set up to act as an authorization provider?
Then I can use the "social solution", so as well as listing Facebook, Twitter, MS Live, I can also list my AAD? AAD authenicated users can then be given extra admin permissions…?
Well, it’s possible to have them all within your one app, but you have to do all the work of account mapping to your local DB. Also, if you build more than one app then you’ll be doing that work all over again in the other app. This is why it’s generally
recommended to put that "stuff" into one place that your app(s) can then trust and re-use.
Thank you for your continued interest Brock.
The customer has AAD used for a lot of cloud apps, so employees can gain privileged access, but there’s no way they’d want all the public website users creating accounts on there. So I believe a separate user database would be best.
I have been turned on to ACS. Before I delve too deeply, can you [or someone you can track down who uses it] confirm if it can do what I require? So ACS would be the authority and behind it I can add social logins and AAD as providers?
http://blogs.technet.com/b/ad/archive/2013/06/22/azure-active-directory-is-the-future-of-acs.aspx
http://msdn.microsoft.com/en-us/library/hh446535.aspx
Thanks again for your continued interest, wondering why no-one else has anything to offer.
Are there not many Gurus in this channel forum any more?
ACS is deprecated, so I’d suggest to not use it for anything new.
AAD doesn’t support storing identities in a custom DB, so you need to integrate something else into your architecture. I work on an open source identity provider that allows for a custom DB of users:
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/
These topics are very specialized and so there are few people that follow this technology.