I have the following Scenario:
Three different Sharepoint Server: sp1.company.com; sp2.company.com…
Internal Users using Windows Authentication and external users using Forms Based Authentication (FBA).
When the external users change from one server to the other they have to login again. My goal is to have a Single Sign On (SSO) for all the SharePoint Server.
I thought maybe I can do this by using ADFS for the internal users and a customSts (ThinkTecture IdentityServer) for the external users.
Would this be possible? How do I setup the Sts servers ADFS and IdentityServer? Do I have to connect ADFS to IdentityServer over WS-Federation?
Yes, the architecture you are proposing is fine. You will have to stop using forms auth and windows auth on SharePoint and start using claims-based (SAML and WS-Fed) as the single login mechanism. The architectural pattern is: your applications trust a “federation hub” (that could be either ADFS or Windows Azure Active Directory). That server will have all the trust relationships with your identity providers and applications. In your case, what you have today, is a couple of SharePoint applications and two identity providers (one AD through ADFS and the other a custom database through something like Identity Server).
Everything is connected through standard protocols and token formats. From SharePoint to the “federation hub” you will use WS-Federation and SAML 1.1 tokens. From the “federation hub” to ADFS you will use WS-Federation and SAML 1.1 or 2.0 tokens. From the “federation hub” to Identity Server it’s the same as ADFS. In the future if you want to plug something like Facebook, the “federation hub” needs to speak OAuth, but the SharePoint will still be using WS-Federation, so you don’t have to touch that piece.
ADFS as a federation hub will give you support for WS-Federation and SAML protocol (but not OAuth). That might be good enough for you today. You might want to consider Windows Azure Active Directory (previously known as Windows Azure Access Control Service) which is a “federation hub” that is offered as a service from Microsoft (with a price tag of 2 USD per 100K login). Microsoft is currently more focused on WAAD other than ADFS. WAAD will give you support for OAuth, mobile scenarios, Office 365, etc. Not saying that ADFS is being retired or anything like that, simply my point of view of where the investments are being made.
Putting things together requires some learning and time, so be prepared to hit some walls like certificate issues, miss-configurations, home realm discovery, claims transformation, SharePoint people picker, cookies, logout, etc.
Here are some pointers:
Matias