我可以使用ADFS 2.0对SQL Server的某些用户进行身份验证吗？

Question

I have been using ADFS to authenticate users against AD fine, using a claims aware template in VS. Some of our users will not be in Active Directory, so I would like to know if its possible to configure ADFS to look up SQL Server for these users and then carry on as normal.

Does ADFS2.0 provide custom authentication stores?

is a similar question, just one person says yes it can be done and other says you can't.

Answer 1

AD FS 2.0 can only authenticate against Active Directory (AD DS). This is not explicitly documented in the official AD FS 2.0 documentation, but it follows from the following two snippets:

• "Appendix A: Reviewing AD FS Requirements" from the AD FS 1.x Design Guide, section "Account store requirements" says, "AD FS supports two types of account stores: Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS)."
• "Planning a Migration to AD FS 2.0" says, "The following are the AD FS 1.x features and scenarios that are no longer supported in AD FS 2.0: [...] AD LDS used as an account store".

So no custom authentication stores, SQL Server based or otherwise.

(On the other question on additional attribute stores: that is possible.)

The solution that is suggested in an answer to the other question you refer to is a bit misleading. If you read the actual blog post you see that they add an extra STS. AD FS 2.0 has a 'Claims Provider Trust' for that other STS, and redirects to it (if the 'home realm discovery' is set up correctly). That other STS then performs the authentication in whichever way it likes, sends a token back to AD FS, which then runs its claim rules.

So in that solution it is not AD FS 2.0 authenticating against an non-AD store, but redirecting to an STS which authenticates against that store.