[英]Single sign on - service for multiple organizations (ADFS and Form Auth mixed)
I want to develop an centralized application where different organization users can log-in and perform operations in my site later i will generate report out of it and give it to each organization. 我想开发一个集中化的应用程序,以便不同的组织用户可以登录并在我的站点中执行操作,稍后我将生成报告并提供给每个组织。 I am maintaining my own SQL DB where i will save all the organization issuer , certificate thumbprint details etc….I am able to dynamically send the signinRequest based on the Organization id.
我正在维护自己的SQL DB,我将在其中保存所有组织发行者,证书指纹详细信息等。我能够根据组织ID动态发送signinRequest。 However, while coming back from their ADFS server with the token i need following details to be added in my web.config to validate the token.
但是,从带有令牌的ADFS服务器返回时,我需要在web.config中添加以下详细信息以验证令牌。 I dont want to expose these details in my web.config for 2 reasons.
由于两个原因,我不想在我的web.config中公开这些详细信息。 - Security [i need to have all the organizations details in config which may result some fraud access] -Performance [if i have 100 organization who is going to use my app, is it advisible to configure all the issuerauthority in my config.
-安全[我需要在配置中包含所有组织的详细信息,这可能会导致某些欺诈访问]-性能[如果我有100个将要使用我的应用程序的组织,是否可以在我的配置中配置所有颁发者的权限? wont it hit the performance]
会不会影响演出]
<issuerNameRegistry type=”System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry”>
< authority name=”name”>
<keys>
<add thumbprint="{Org 1 thumbprint}"/>
<add thumbprint="{Org 2 thumbprint}"/>
<add thumbprint="{Org 3 thumbprint}"/>
</keys>
<validIssuers>
<add name="http://test.login.edu/adfs/service/trust">
<add name="Org 3 url">
<add name="Org 4 url">
<add name="Org 5 url">
</validIssuers>
</authority>
</issuerNameRegistry>
Your help will be very much appreciated Thanks Jeevitha 非常感谢您的帮助,谢谢Jeevitha
After Some research, i have come up with the solution and it works fine too.. 经过一番研究,我想出了解决方案,它也可以正常工作。
I will have the following setting in my web, config. 我的网站config中将具有以下设置。 [My custom class with do the return token validation from the issuer]
[我的自定义类执行发行人的返回令牌验证]
<issuerNameRegistry type="ADFS_Lib.AccessControlServiceIssuerNameRegistry, ADFS_Lib">
</issuerNameRegistry>
In my class, i will be overridding the IssuerRegistry calss GetIssuerName method and validate the return token and issuer in my DB whether its configured or not 在我的课程中,我将覆盖IssuerRegistry calss GetIssuerName方法,并在数据库中验证返回令牌和颁发者(无论是否已配置)
public class AccessControlServiceIssuerNameRegistry : IssuerNameRegistry
{
public override string GetIssuerName(SecurityToken securityToken, string requestedIssuerName)
{
//here my DB validation code goes
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.