I have an ASP.NET MVC 5 web application that authenticates users using ASP.NET membership. We are in the process of migrating the app to Azure App Service and we have some requirement to introduce SSO and MFA and since we are using Azure AD, we want to let this web application to authenticate users using their existing Azure AD credentials.
The problem is that we have some external users, some of them have their Azure AD instance and some are very small companies who don't have Azure AD.
The plan is to:
- Let our local users use their Azure AD for log in
- Set up B2B for External users who have Azure AD
- Build an external identity provider that delegate user authentication to our existing membership database. We want the process to be seamless without having to ask them to set a new password
I am not sure if #3 is the correct way to go, and I can't find any sample implementation for building a custom SAML identity provider. The only sample I found was via ADFS which is not a great help to me.
Any recommendation on the way forward?
I tried Microsoft docs to build a custom identity provider but I could not find anything useful.
I am expecting a sample implementation for a custom identity provider based on a local database
Do not try and roll your own - either SAML in general or an IDP.
Wrt SAML, refer this and this.
In terms of an IDP, have a look at identityserver.