Hopefully this is a fairly simple question since it deals with the behavior of one of the WCF plugins designed and maintained by Woltlab.
I have built a stand-alone forum system, that is, the forum itself is responsible for maintaining user accounts and handling logon requests. In the future, I plan to add applications running on WCF code to my environment, but with different applications, and I'd like to enable SSO across the different systems.
I have a few questions to this end....
- If an account was created locally (that is, on the forum), can it be connected to an account through LDAP at a later point, and what is the process for this?
- Are users able to create their own accounts through the LDAP connection so that SSO capability is automatic, or will a member of staff be required to establish an account?
- Are groups and group memberships managed through Active Directory Group Membership or is this an isolated system?
One thing I'd like to avoid is a user signing up on site A and then finding that SSO doesn't work on site B so they make a new account. If I need a member of staff to establish an account for the user in the account store with the information provided and then to merge the local account with the account in the store, then I can change my registration model to "Require Administrator Approval." However, my preferred method would to allow an application (like the WoltLab LDAP provider) to be able to create user accounts within certain AD Groups.
Lastly, just to make sure my understanding of how authentication works is correct, can someone verify this model below?
[Application] -- [Kerberos Authentication Service] -- [Account store, like Active Directory]