Active Directory authorization

Question

Hi I'm doing a project about single authentication and authorization using Web Service and Active Directory. The main idea is that any application in an organization should adapt themselves for using my Web Service in parts of authentication to use only one users' identity for a user for every applications. The users' identities are kept in AD and used by the Web Service. Another part is authorization. Now I designs that the service provides methods for application registration so that the applications can register to the service and that the service manages publishing the applications into the AD. The application developers also has to grant privileges for an application to groups/roles of users via the service. This can authorize users who access applications. Moreover I want to do central authorization in a deeper level the business logic level of the applications. I want my service whose authorization core is on AD to be able to control users using internal processes of an application like the way GPOs work with Windows. I wonder if it's possible? Maybe done by controlling some libraries in .NET Framwork for applications using .NET or something like that?

Bechir Bejaoui · Answer

Yes you can of corse but what I mean is to profit of the exisiting API to do that there are a lot of features in .Net framework those help to attempt the same goal for example the windows ACL configuring To manage the users and the process you can make use of the WMI API here is a context for that

Fukzai Taam · Answer

Yeah it's not just authenticate look at role for authorization and redirect to the right page like that. The same concept is the role-based authorization but I also want my service to know which role can access which process within an application. So I orients to AD and looks for any features in AD that could solve this problem. Another reason I chose to use AD is that it provides easier to do both authentication and authorization. The only authorization I can think of how to do right now is in the page level like the example (with AD instead of RDB). I just starts to learn AD. I want to know is it possible to come up with that problem with AD.

Bechir Bejaoui · Answer

You can simply use the authentification and autorization form to leverage that or is there any other functionalities those are required?