[英]Windows Azure ACS with Active Directory as identity provider for SSO
We have a few .NET based web applications. 我们有一些基于.NET的Web应用程序。 The user base for the applications include mobile subscribers who enroll to check their bills.
该应用程序的用户群包括注册以检查其账单的移动订户。 The plan is to provide Single Sign-On across my applications.
该计划是在我的应用程序中提供单一登录。 We are exploring using Windows Azure ACS with Active Directory as identity provider for my application users for the purpose.
为此,我们正在探索将Windows Azure ACS与Active Directory一起用作我的应用程序用户的身份提供者。 Are we going in the right track with using Windows Azure ACS with Active Directory as identity provider?
通过将Windows Azure ACS与Active Directory用作身份提供者,我们走上了正确的轨道吗?
Windows Azure Active Directory is a good option for single sign-on, but it does not have to be used with ACS, as can be seen here Windows Azure的Active Directory是单点登录一个很好的选择,但它并没有与 ACS使用,因为在这里可以看到
http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx#BKMK_Connecting http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx#BKMK_Connecting
The advantages of ACS are that ACS的优势在于
However, on the down side 但是,不利的一面
I had to use ACS with WAAD in a previous application I worked on because (for some reason) the ASP.Net MVC anti-forgery protection relies on a claim of type 我必须在以前的应用程序中将ACS与WAAD一起使用,因为(由于某种原因) ASP.Net MVC防伪保护依赖于类型声明
http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider
which is not issued by WAAD. 不是由WAAD 发布的。 I used a simple claim transformation rule in ACS to transform the WAAD issued claim of type
我在ACS中使用了简单的声明转换规则来转换WAAD发布的类型的声明
http://schemas.microsoft.com/identity/claims/identityprovider
into an equivalent claim of type 转化为等价的类型
http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider
This was the only way I could think of to fix my issue at the time so it made it worth using ACS in my case. 这是当时我想解决问题的唯一方法,因此值得在我的情况下使用ACS。 I never found out whether you could do this purely with WAAD (maybe using the graph API) because of time pressures on the project at the time.
由于当时项目的时间压力,我从未发现您是否可以仅使用WAAD(可能使用图形API)来完成此操作。
In answer to the extra question in your comment, there is no way to replace the sign-on page if you are using WS-Federation or OAuth 2. A crucial point of those approaches is that the user only enters their credentials into the (trusted) UI provided by the identity provider. 为了回答您评论中的其他问题,如果您使用的是WS-Federation或OAuth 2,则无法替换登录页面。这些方法的关键点在于,用户仅将其凭据输入到(受信任的)身份提供者提供的用户界面。 I think you can replace the image with one of your own though.
我认为您可以用自己的一个替换图像。 Maybe you could gather the users credentials with your own UI and get a token using the WS-Trust endpoint, but this would not give you genuine web SSO in the sense that the sign-in session would not be automatically flowed between your different web applications.
也许您可以使用自己的UI收集用户凭证并使用WS-Trust端点获取令牌,但这在一定意义上不会为您提供真正的Web SSO,因为登录会话不会在不同的Web应用程序之间自动流动。 。
Actually, there is a workaround to provision AAD as identity provider in ACS. 实际上,在ACS中有一种解决方法可将AAD设置为身份提供者。 http://www.cloudidentity.com/blog/2013/10/03/provisioning-a-windows-azure-active-directory-tenant-as-an-identity-provider-in-an-acs-namespacenow-point-click/
http://www.cloudidentity.com/blog/2013/10/03/provisioning-a-windows-azure-active-directory-tenant-as-an-identity-provider-in-an-acs-namespacenow-point-点击/
Basically, what has to be done is add the FederationMetadata.xml url when AAD is created as Identity provider in ACS. 基本上,要做的是在ACS中将AAD创建为身份提供者时,添加FederationMetadata.xml URL。
After (in VS 2012) there is anew utility Identity and Access that will let you choose the IPs, and will create a new group in ACS, in which it has to be add the claim(s) transformation rule that we need (it is said in the post should be checked in code because claim changes) 之后(在VS 2012中),有一个新的实用程序“身份和访问”,可以让您选择IP,并在ACS中创建一个新组,在其中必须添加我们需要的声明转换规则(表示帖子中的内容应在代码中检查,因为声明已更改)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.