Question: Import Users from Active Directory (onprem)

[x789w]

Which version of Duende IdentityServer are you using? v7

Which version of .NET are you using? v8

Context

We have two sets of 'users'. The first is stored in our service based on IdentityServer and the second is stored in an Active Directory (onprem).

Question

To simplify our infrastructure, we want to remove the Active Directory (onprem) and migrate the users to the IdentityServer. However, this action should not be noticeable for the actual users. Therefore, we need to migrate the users and their credentials to the IdentityServer without assigning new passwords. We cannot read the passwords in plain text from the Active Directory.
I could not find anything about this in the documentation or in this forum. Is this still possible? (An LDAP connection as mentioned in #1189 would not be a solution as the Active Directory is to be suspended).

Expected behavior

We can import the users to our current Entity-Framework-based user-store or use a separate user-store that is not part of the Active Directory (onprem).

[StuFrankish]

Hey @x789w 👋

It sounds like you're after using a just in time approach to migrate over your users.

In general, you should be able to create an LDAP connection to validate user credentials as they sign in and implement some custom logic to determine if they are in your identity server user store, creating them in realtime if they don't exist.

I don't believe there's a way to bulk import users from AD,certainly not without a password reset which isn't as frictionless a solution as I'd want personally.

A just in time approach seems to be the way to go here. But I'd love to hear from others as this seems like a fairly common thing to want.