如何获取Azure Active Directory角色或用户组
[英]How to get Azure Active Directory role or user group
问题描述
I have a win 8 app in which I want to authenticate ADFS user based on role. 
我有一个Win 8应用程序,我想在其中基于角色对ADFS用户进行身份验证。 I found a article http://msdn.microsoft.com/library/azure/dn169448.aspx This is a very good article to integrate win 8 app with Adfs and uses mvc as webclient for ad. 我发现了一篇文章http://msdn.microsoft.com/library/azure/dn169448.aspx,这是一篇很好的文章,将Win 8应用程序与Adfs集成在一起,并使用mvc作为广告的webclient。
AuthenticationContext authenticationContext = new AuthenticationContext("https://login.windows.net/" + domainName);
AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resourceAppIDUri, clientID);
if (AuthenticationStatus.Succeeded != result.Status)
{}
By using this code user get successfully authenticated, in case succeeded than I want to authorize user against user group. 通过使用此代码,用户可以成功通过身份验证,以防万一成功,然后我要根据用户组授权用户。 Is there any way? 有什么办法吗?
There is a method in ClaimsPrinicipal IsInRole() but it always returns false. ClaimsPrinicipal IsInRole()中有一个方法,但始终返回false。 And in Claims collection there is nothing for role or user group. 在Claims集合中,没有角色或用户组。 I searched over net and found this link http://www.cloudidentity.com/blog/2013/01/22/group-amp-role-claims-use-the-graph-api-to-get-back-isinrole-and-authorize-in-windows-azure-ad-apps/ 我在网上搜索后发现此链接http://www.cloudidentity.com/blog/2013/01/22/group-amp-role-claims-use-the-graph-api-to-get-back-isinrole-和授权功能于Windows的Azure的广告,应用程序/
But this uses graph api. 但这使用图形API。 I want it in a simpler way. 我想要一个简单的方法。 Anyways I tried to use graph Api but on requesting https://graph.windows.net/ {0}/Users('{1}')/MemberOf I get a priviledge exception. 无论如何,我尝试使用图Api,但是在请求https://graph.windows.net/ {0} / Users('{1}')/ MemberOf时,我得到了特权异常。 Graph api can only be used by a admin privilege account. Graph api只能由管理员特权帐户使用。 So How I gonna fetch current user login group? 那么,我该如何获取当前的用户登录组?
2 个解决方案
解决方案1
0 2014-05-07 20:49:05
That post is for Azure Active Directory. 该帖子适用于Azure Active Directory。 The only way in AAD to get the roles is via the Graph API. AAD中获取角色的唯一方法是通过Graph API。
You want to use ADFS. 您要使用ADFS。 ADFS does not support the Graph API. ADFS不支持Graph API。 ADFS supplies roles in the form of claims. ADFS以声明的形式提供角色。 This uses a SAML token. 这使用一个SAML令牌。
But the title states " Azure AD IsInRole"? 但是标题指出“ Azure AD IsInRole”吗?
Please edit the question to make it clear exactly what topology (ADFS / AAD) you are targeting. 请编辑问题,以明确您要定位的拓扑(ADFS / AAD)。
Win 8 applications are what is referred to as native applications. Win 8应用程序是所谓的本机应用程序。 These typically use OAuth. 这些通常使用OAuth。 OAuth is only supported in ADFS 3.0 ie Server 2012 R2. OAuth仅在ADFS 3.0(即Server 2012 R2)中受支持。
解决方案2
0 2014-05-08 14:10:23
I found a solution by using Graph api. 我通过使用Graph API找到了解决方案。 Below is the method with claimsprinicipal parameter which you get after user logged in. I used the link specified above in question to login user. 下面是用户登录后获得的带有Claimsprinicipal参数的方法。我使用上述问题中指定的链接登录用户。
private async void GetToken(ClaimsPrincipal claimsPrincipal)
{
string upn = claimsPrincipal.FindFirst(
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn").Value;
string tenantID = claimsPrincipal.FindFirst(
"http://schemas.microsoft.com/identity/claims/tenantid").Value;
string requestUrl = string.Format("https://graph.windows.net/{0}/users/{1}/memberOf?api-version=2013-04-05",
tenantID, upn);
string appPrincipalID = "152313bf-2566-4bbb-8160-06013dc45679";//This is the cliend id you get after creating web api on azure
string appKey = "XP7rvrbzOXl6n94STPgI6LTqU1fOTje4cu+Cererererer8nE=";//generate it on web app on azure
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(String.Format(
"https://login.windows.net/{0}/oauth2/token?api-version=1.0",
domainName));
System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
string postData = "grant_type=client_credentials";
postData += "&resource=" + HttpUtility.UrlEncode("https://graph.windows.net");
postData += "&client_id=" + HttpUtility.UrlEncode(appPrincipalID);
postData += "&client_secret=" + HttpUtility.UrlEncode(appKey);
byte[] data = encoding.GetBytes(postData);
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = data.Length;
//string authorizationHeader = string.Empty;
Models.AADJWTToken token = null;
using (Stream stream = request.GetRequestStream())
{
stream.Write(data, 0, data.Length);
stream.Flush();
using (var response = request.GetResponse())
{
using (var stream1 = response.GetResponseStream())
{
using (var reader = new StreamReader(stream1))
{
string str = await reader.ReadToEndAsync();
token = Newtonsoft.Json.JsonConvert.DeserializeObject<Models.AADJWTToken>(str);
}
}
}
}
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.TokenType, token.AccessToken);
var re = await httpClient.GetAsync(requestUrl);
var se = await re.Content.ReadAsStringAsync();
//this variable hold your result with user group in json format.
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.