How to authenticate users from another domain in an ASP.NET SaaS application?

We have an ASP.NET web application that we offer as a Service (it's hosted and it's accessible on the Web). We use Forms Authentication and our users have to enter a username/password to connect to our application. Some of our customers ask that we support single sign-on by authenticating users with their own Active Directory.

Our application has a different URL for each customer

www.ourapp.com/client1/
www.ourapp.com/client2/
www.ourapp.com/client3/

and each URL has开发者_Python百科 its own web.config file (where asp.net settings can be specified and can vary for each customer).

• What do I have to change in my ASP.NET application to support that?
• What do I have to change on my Windows server configuration?
• What will the customer have to do on his side to enable that?

Regards,

Check How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 In short, you configure an ActiveDirectoryMembershipProvider to verify each username/password with the customer's AD. The customer must create an AD account for you that is allowed to perform the verification - which may be a problem with some customers. What's more, your code will handle the actual username/password used by users in their internal network, which can be an even bigger problem with customers.

A more secure solution is to use federation (using ADFS) or Claims Authentication using Windows Identity Foundation. In this case you "only" have to set trust relations between your domain and theirs.