简体繁体 English

使用ADFS单一登录

[英]Single sign on with ADFS

原文 2014-01-22 20:40:57 8 2 c#/ javascript/ single-sign-on/ claims-based-identity/ adfs

I am looking for single sign on for my application which is built on javascript (no server side language). 我正在寻找基于javascript（无服务器端语言）的应用程序的单点登录。

Requirement: 需求：

Agent log in to Windows (user integrated to Active directory) 代理登录Windows（用户已集成到Active Directory）
Open my web page 打开我的网页
Based on who logged in to windows, my application goes to AD and pull some user specify data (eg email, phone) 根据谁登录到Windows，我的应用程序进入AD并提取一些用户指定的数据（例如电子邮件，电话）

How shall I go about it? 我该怎么办？

As per my understanding I will require ADFS for this. 根据我的理解，我将为此需要ADFS。 So: 所以：

User goes to my web page 用户转到我的网页
My web page calls some Web services or web application (which is build on c#) 我的网页调用了一些Web服务或Web应用程序（基于c＃构建）
That will authenticate against AD FS and get claim 它将针对AD FS进行身份验证并获得索赔
Either get phone number and email in claim or get username and query AD for phone and email 获取索赔中的电话号码和电子邮件，或者获取用户名并查询AD以获取电话和电子邮件
Return the data to my web page (build on javascript) 将数据返回到我的网页（基于javascript）

It seems there something wrong in my understanding!! 我的理解似乎有误！！

Please suggest more appropriate solution based on my requirement 请根据我的要求提出更合适的解决方案

2 个解决方案

Frankly, I can't think of a way to make it work without a server side processing. 坦白说，如果没有服务器端的处理，我想不出一种使它工作的方法。 This is because the ws-federation protocol ADFS uses is not just about returning claims. 这是因为ADFS使用的ws-federation协议不仅仅是返回声明。

It is about returing a SAML token . 这是关于重新建立SAML令牌 。 The token contains claims but what is most important about it is that it is signed using the XMLDsig. 令牌包含的权利要求，但它是，它是使用XMLDSIG 签署什么才是最重要。 How are you going to validate the token is a first big question. 您将如何验证令牌是第一个大问题。 But there are surely external libraries that allow that. 但是肯定有允许这样做的外部库。

But then, such authentication can easily be bypassed by modifying scripts in the browser. 但是，通过修改浏览器中的脚本，可以轻松绕过这种身份验证。 This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. 这是因为ws-federation在获取令牌的位置停止，然后由令牌来交换实际身份。 And this won't work when processed only at the client side. 而且，仅在客户端进行处理时，这是行不通的。

ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation. ADFS 3不支持OAuth2隐式配置文件，这是一个选择，但是您仍然需要在服务器上验证令牌以避免会话固定。

You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/ 您可以设置诸如AuthorizationServer之类的支持Oauth2 / OpenID Connect隐式配置文件的东西http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-应用程序和企业后端/

Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. 另一个选择是使用类似Auth0 （免责声明：我为Auth0工作）之类的东西，它也支持OAuth2 / OpenID Connect隐式配置文件。 In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. 在那种情况下，您将不需要ADFS，网络上安装了一个连接器/代理，它不需要打开防火墙或任何东西，它支持适用于JavaScript应用程序的隐式配置文件。 This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials): 这是单页应用程序教程的示例（如果您创建一个帐户，它将使用您的凭据来定制文档）：

https://docs.auth0.com/singlepageapp-tutorial https://docs.auth0.com/singlepageapp-tutorial