Is it possible to create a new user via ADFS?

2019-05-05 14:27发布

问题:

I am in the process of scoping out whats involved in setting up single sign on using SAML and ADFS. A query has come back that I can't answer and can't seem to find anywhere.

Is it possible to carry out the usual user profile actions via ADFS? For example :

  • Can I register new users via ADFS?
  • Can I provide forgotten password / reset password functionality via ADFS?

I'm getting confused and have a feeling I am barking up the wrong tree!

回答1:

No, AD FS only delivers security tokens for Active Directory accounts, after providing some form of credentials for such an account. It does not make any kind of changes in Active Directory, nor anywhere else.

No, AD FS has no 'reset password' functionality. However, the AD FS sign-in pages can be customized, and the functionality to change the (AD) password can be added by customizing/creating the appropriate ASP.NET pages. Been there, done that. Unfortunately I cannot share that code.

(This answer applies to AD FS 2.0 only; I'm not sure about AD FS 1.0.)



回答2:

@Marnix is correct - ADFS is an "Access Manager" not an "Identity Manager".

As you can customise pages, there is nothing stopping you creating provisioning pages or adding links to a provisioning system.

Word to the wise: The "standard" ASP.NET membership pages provision to a SQL DB which won't help you. ADFS authenticates against AD only. You need to use AD membership.

Also, for internal users who login to their desktop with WIA and SSO behind the scenes with ADFS, you get the standard password functionality e.g. password about to expire, change password etc.



回答3:

In addition to that: Microsoft has another product which integrates with ADFS (and other auth mechanisms) called Forefront Identity Manager which provides password reset / user self management as well as account creation via delegated fine granted rights. All that using a web-interface.

i guess that is what you're looking for.

However: adfs itself is only a tool to provide federation and SSO - so it's there for authentication / delegation, not mangement.



标签: saml adfs