[英]How to add roles to Windows Identity Foundation (WIF) claim
I have a requirement to add an STS (security token service) to a ASP.NET Webforms website. 我需要将STS(安全令牌服务)添加到ASP.NET Webforms网站。 The main issue is that I need to add a claim for the roles after authentication takes place, as the Identity provider does not have the role information.
主要问题是,身份验证发生后,我需要为角色添加声明,因为身份提供者没有角色信息。
I have implemented the CustomSecurityTokenService
in a Local STS using code similar to the below. 我已经使用类似于下面的代码在本地STS中实现了
CustomSecurityTokenService
。 This code works as expected - howeever, I need to add the bit under the comment "get roles for user here" later in the process.. 该代码按预期方式工作-但是,在此过程的后面,我需要在注释“在此处为用户提供角色”下添加一些位。
// Get the incoming identity
IClaimsIdentity callerIdentity = (IClaimsIdentity)principal.Identity;
// Issue custom claims.
ClaimsIdentity outputIdentity = new ClaimsIdentity("Federation");
var username = callerIdentity.Name;
var domain = "DOMAIN";
outputIdentity.Claims.Add(new Claim(ClaimTypes.Name, callerIdentity.Name));
outputIdentity.Claims.Add(new Claim(ClaimTypes.WindowsAccountName, string.Format("{0}\\{1}", domain, username)));
// get roles for user here:
var roles = "Admin";
string[] rolelist = roles.Split(',');
foreach (var role in rolelist)
{
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, role));
}
return outputIdentity;
The problem that I have, is that I cannot get the roles at this time as they are provided by a service outside of the Identity Provider. 我的问题是,由于身份提供者外部的服务提供了这些角色,因此我目前无法获得这些角色。 I need to wait until I go back to the RP (application) before I can get it - but by that time, the security settings in the web.config have locked me out due to my role settings.
我需要等到返回RP(应用程序)后才能获取它-但是到那时,由于角色设置,web.config中的安全设置已将我锁定了。
<location path="Pages/Secure/Messages/Default.aspx">
<system.web>
<authorization>
<allow roles="Admin, Tecchies"/>
</authorization>
</system.web>
</location>
I thought that I might be able to use an event in the global.asax, but as yet I have not been able to get any option here to work. 我以为我可能可以在global.asax中使用一个事件,但是到目前为止我还没有办法在这里工作。 Something like this code:
类似于以下代码:
var currentUser = Service.GetUser(callerIdentity.Name);
foreach (var role in currentUser.Roles)
{
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, role));
}
I'm using .NET 4.0 - although I understand that there may be some benefits of upgrading to 4.5, this is not an option at present for me. 我正在使用.NET 4.0-尽管我了解升级到4.5可能会有一些好处,但目前对我而言这不是一个选择。
Ive spent an age on this, so any help gratefully received! 我已经花了很长时间了,所以很感激收到任何帮助!
I ended up finding the answer after looking at this link and this link . 在查看此链接和此链接后,我最终找到了答案。
The one thing that I didn't get initially was that in order to use the ClaimsAuthenticationManager
you need to add the extra line in your web.config in the <microsoft.identityModel><services>
section to wire up the implementation. 最初我没有得到的一件事是,为了使用
ClaimsAuthenticationManager
您需要在<microsoft.identityModel><services>
部分的web.config中添加额外的行以连接实现。
Thus: 从而:
<claimsAuthenticationManager type="MyCustomClaimsAuthenticationManager" />
I wondered why my code was never being executed.. 我想知道为什么我的代码从未执行过。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.