I want to implement universal authentication and authorization mechanism in my company. It should be able to use Active Directory accounts, custom user database, external OAuth tokens and be ready to add another methods (maybe something like "safe VPN" accounts).
I've read a lot about Security Token Service and it is what exactly fit my needs but I've found opinions that I should use custom STS only for developing/testing purposes and in production environment I should use something like Active Directory Federation Services 2.0 or Microsoft Azure Access Control Service, but AD FS 2.0 cannot authorize users who do not exist in AD right? What is the reason that they insist to use they solutions?
In Visual Studio 2015 I could not even find tool like 'Identity and Access Tool', everything is hidden inside a Framework. So I wonder if creating custom STS based on System.IdentityModel.SecurityTokenService is good idea or I don't understand actual standards? If so is anyone has some link to tutorial/example how to do it in WIF 4.5?
I've found article, that really helps me. There are questions what you should ask before want to start implement your own STS: https://virtualdirectory.wordpress.com/2012/06/09/extending-adfs-to-multiple-identity-and-attribute-stores-part-2-of-2-the-tough-questions/