ADFS Single Sign On with ReactJS (Frontend) /.Net Core Web API (Backend)

Vignesh Thiruvirkolam 1 Reputation point
2021-02-23T06:12:22.687+00:00

We are having react app as frontend application and .NET Core Web API as Back end application. Our client requirement is to integrate ADFS SSO. Our Client is already having On-Premises ADFS running in their windows server 2016.

After some googling I have following questions raised up in my mind.

1.) Based on my analysis, ADFS is supporting following sign-in protocols (SAML 2.0, WS-Federation & OAuth). For our application setup(React/.NET Core Web API), which protocol, we should use?

2.) Our client is asking us to use for SAML2.0. Is SAML 2.0 Protocol can be used for our application architecture (React/.NET Core Web API)?

3.) To configure our application in On-Premises ADFS, I saw following options (Relying Party Trust and Application Groups). For our application architecture, which one should be used?

Please help me with your thoughts. I am not able to take any concrete decision on the above questions since I am new to the ADFS SSO. Your help is much appreciated. Thanks in advance.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,360 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,220 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2021-02-23T15:46:15.127+00:00

    Only the dev/architect of the application would know what model would be the best fit.

    SAML2 is old school. That works, and that's supported by ADFS. But that's usually not a good fit for those multi tier apps. I mean, that's the very reason was OAuth2 was born.

    In general, for a modern multi-tiered application, OAuth2/OIDC seem to be a better option as it is very flexible for these scanario. But that depends if the frontend has to authenticate the end user, what type of access/auth between the frontend and the backend, etc...

    OAuth2 applications are created in ADFS through the Application Groups wizard.

    0 comments No comments