在本地和Azure上使用Active Directory进行身份验证

Question

I'm developing an application for my company's internal use. We wish the application to live on Azure and to utilize windows accounts for authentication. We are working on enabling Active Directory Federation Servers (ADFS) in order to synchronize our organizational AD to Azure AD. While that is being done, I am working on code responsible for determining who a user is. My main goal is to restrict the Admin controller to those users who belong to an active directory group. My impression is that ADFS should allow me to query this in Azure.

I have created a service that utilizes LDAP to determine whether or not the current user is in a particular group, and it works great locally. However, through some reading, I've determined that LDAP is not supported by Azure AD. Darn!

The preferred route to communicate with the Azure AD seems to be the Graph API . However, the graph API does not seem to be support by an enterprise/organizational AD.

My first thought solve this is to utilize dependency inject to switch the service being used based on the environment, but I'm thinking there has to be a better way.

What technology should I be using to interact with both on-premise Active Directory, as well as Azure Active Directory?

Answer 1

We faced this same issue in our Azure implementation and discussed it at length with Microsoft. Currently there is no common method for directory queries. I believe Microsoft's plan is to eventually add GraphAPI to AD DS.

Another option, if you're using a claims-based authentication protocol like OpenID Connect, is to have the Identity Provider issue claims with the values needed for your authorization logic.

Answer 2

ADFS is a tool for identity federation and not directory sync. For directory sync you would use AADSync - http://www.microsoft.com/en-us/download/details.aspx?id=44225

The simplest way to achieve this is to use federation with ADFS and have ADFS populate the assertion with Role information. Set up a new relying party in ADFS and add the a new Issuance Transform Rule

 Template: Send Group Membership as a claim Name: Admin claim Users Group: Choose your domain local group Outgoing claim type: Role Value: MyAdminRole 

You can set up the federation very easily with Visual Studio 2012 or later or add an OWIN startup class such as the following:

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
        {
            MetadataAddress = "https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml",
            Wtrealm = "urn:appid"
            // SignInAsAuthenticationType = // This is picked up automatically from the default set above
        });

        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;

    }

Then all you need to do is add the Authorise attribute to your controllers:

[Authorize(Roles = "MyAdminRole")]
public class AdminController : Controller
{
 ...
}

For completeness, I will also add that once AADSync is configured and running, you can also use Graph API to obtain information about your users once it has been synced to Azure AD. User and Group updates can be delayed by upto 3 hours though.

HTH