Simple and free
If you're looking for a free solution, and most of your users already have an account with either Facebook, Google, Twitter or Microsoft, then an easy solution is to simply use these services for your authentication. They all provide some external authentication endpoint, either using OpenId Connect or OAuth2.
- Simple to set up
- Good user experience – often a one-click sign in
- Plenty of documentation out there
- People must have an account with an external service
- No control over accounts or signup process
- Profile management can tricky – do you use Google's display name or your own?
Simple, managed as a service
There are providers out there which offer server identities and access control.
- Much more control of access control and user profiles
- Quick and easy to set up, with plenty of samples
- Costs money for more advanced features
- Externally hosted, which may not be desired in some enterprises
There are several providers to choose from – here are some of the more popular ones. Be sure to choose ones that fit your situation, as they each have different levels of compliance, features, support, and pricing.
It's not uncommon for an organization to already be using LDAP, and IIS can supply windows identities out of the box. It's quick and easy to set up, but not very powerful and often all-or-nothing.
- Good user experience
- No management of users required at all
- Leverages existing user storage
- Companies like to use their Active Directory accounts everywhere
- Role-based authorization can be difficult as the Active Directory API isn't simple
- Can be slow, depending on AD setup
The above options are about delegating identity access and authorization to another party, which may not be a good fit for your enterprise. If full control over everything is required, then going with Identity Server for authentication and MembershipReboot for user storage is the best idea. It does all the heavy lifting, allowing secure, robust and configurable storage of identities with industry standard authentication schemes. The best part is you don't have to be a security consultant to implement it – though it is a good idea to have a solid understanding of security principals.
- Highly configurable
- Uses industry-standard best practices for security
- Steep learning curve
- Takes a lot of development time to implement well
- Requires vigilance to keep up-to-date to ensure any security issues are addressed as soon as they're raised
Roll your own
One of the more common options for enterprises is to try and roll their own implementation. This usually results in poor security and difficult to maintain code.
- Developers feel like they're ninjas for a little while
- Developers stop feeling like ninjas when they realize how complicated it is
- Quickly turns into code that everyone wants to avoid
- Very expensive to develop and maintain
- Insecure – this needs to be mentioned again. Security is very difficult to do correctly and best left to experts