Integrate Windows domain authentication with an external web site

I am a small time internet hosted app (SAAS) developer, when I launch I expect most of my customers will authenticate (login) to my application using the standard email + password technique.

Howeve开发者_C百科r I would like to offer a better single sign-on option for larger customers who will have ready-made communities of potential users of my system. Such communities will often be running Windows desktops that are already authenticated against an in-house corporate Windows domain controller.

I am looking for some option to enhance my web site user authentication process and trust or delegate to the customer's domain authentication. I would be very much the junior partner in any such integration so I doubt a large corporate is going to allow me to run a satellite domain controller hooked to their system. The economics of the SAAS app won't allow for hardware VPN circuits.

The Azure cloud will probably be used to host my SAAS app if that helps clarify the options.

Another option at your disposal is Active Directory Federation Services (ADFS). Take a look at Overview of Active Directory Federation Services (ADFS) in Windows Server 2003 R2

Since you are looking to host this both for small and large customers, I suggest you use Windows Azure ACS (Access Control Service) for your setup.

This allows your application to use any identity provider like facebook, google, live id and yahoo. ACS also will allow federation to Active Directory through ADFS.

Thus, you can give your customers all possible choices and keep your application code the same.

Step 1: configure one-way trust of their domain on your domain. You do this, they aren't involved.

Step 2: use SSPI to get credentials via kerberos or SSL.