6

I am planning on using IdentityServer4 exclusively as an OIDC proxy to implement a single sign-on scenario relying on an external login provider (ADFS3 for starters, but there might be others in the future). Put it another way, no local users will ever exist, and neither do I expect to have any login or consent screens.

I've been reading the docs and studying the quickstarts source code, and even though I believe now I have more or less complete picture of how external login works, there's this one thing that I am still not sure about.

Namely, would it be safe and reasonable to do the following:

  1. Do not implement any user store (neither ASP .NET Identity nor even an in-memory one);
  2. Ignore the EnableLocalLogin client setting and always assume it's set to true;
  3. Always force ExternalLogin from the login page?

A side question: are there any pitfalls if the primary client would be a JavaScript SPA? I do know this type of client is generally supported by IdentityServer, but it's the chain of redirects involved in the external login scenario makes me a bit worried.

DmytroL
  • 586
  • 1
  • 3
  • 16
  • Possible duplicate: https://stackoverflow.com/q/45604775/2144352 – Tomas Ivan Sep 14 '18 at 13:09
  • Possible duplicate of [IdentityServer4 - Login directly from an external provider](https://stackoverflow.com/questions/45604775/identityserver4-login-directly-from-an-external-provider) – Tomas Ivan Sep 14 '18 at 13:10
  • Does this answer your question? [Identityserver 4 and Azure AD](https://stackoverflow.com/questions/41978033/identityserver-4-and-azure-ad) – Ogglas Feb 17 '22 at 16:09
  • Cross-link to a similar question – https://github.com/IdentityServer/IdentityServer4/issues/4422 – Alex Klaus Aug 30 '22 at 08:08

0 Answers0