通过多个客户端对Active Directory进行身份验证
[英]Authentication with Active Directory by multiple clients
问题描述
A client that I work with have an existing Active Directory for their employee information, they want to create an application that can log in using information stored in Active Directory. 
与我一起工作的客户端拥有一个用于其员工信息的现有Active Directory,他们希望创建一个可以使用Active Directory中存储的信息进行登录的应用程序。 The application should have a web (.NET), mobile (android and iphone), and optional desktop interface. 该应用程序应具有Web(.NET),移动设备(Android和iPhone)以及可选的桌面界面。
I haven't worked with Active Directory before. 我以前没有使用过Active Directory。 I did some study on Active Directory, and here's what I understand so far: 我对Active Directory进行了一些研究,到目前为止,这是我的理解:
There are 2 ways to authenticate with an Active Directory: 使用Active Directory进行身份验证有两种方法:
- By LDAP : for .NET, can use
System.DirectoryServices(and通过LDAP :对于.NET,可以使用System.DirectoryServices(和
System.DirectoryServices.AccountManagement) namespace classes toSystem.DirectoryServices.AccountManagement)命名空间类
perform authentication.执行身份验证。 For android, iphone, I guess will have some 对于Android,iPhone,我想会有一些
libraries in those platform to do LDAP query to Active Directory (any suggestion?)这些平台中的库来对Active Directory进行LDAP查询(有什么建议吗?) - By ADFS as identity provider: from what I understand, ADFS is an extension to AD that provides SSO feature, and it can be configured as identity provider, is that correct? 通过ADFS作为身份提供者:据我所知,ADFS是提供SSO功能的AD的扩展,可以将其配置为身份提供者,对吗? And so .NET, android, iphone clients can use their libraries to do oauth/openid authentication with Active Directory through ADFS 因此,.NET,Android,iPhone客户端可以使用其库通过ADFS对Active Directory进行oauth / openid身份验证
Is my understanding above correct? 我的理解正确吗? And which way is better? 哪种方法更好? Why should one use one but not the other? 为什么一个人要使用一个而不是另一个? How does Azure AD come into this picture? Azure AD如何变成这张图片?
1 个解决方案
解决方案1
1 已采纳 2015-03-18 01:56:31
Basically yes. 基本上是。
ADFS 3.0 supports OAuth2 - the earlier versions don't. ADFS 3.0支持OAuth2-早期版本不支持。
Note that there are a number of identity providers that can use AD eg shibboleth and PingFederate. 请注意,有许多身份提供商可以使用AD,例如shibboleth和PingFederate。
If you want SSO and if your .NET application is claims based (ie WIF) then use ADFS. 如果要使用SSO,并且.NET应用程序基于声明(即WIF),请使用ADFS。 You essentially outsource authentication to a trusted and verified security system and you get back a signed token that contains whatever AD attributes you require. 您实质上是将身份验证外包给受信任且经过验证的安全系统,然后获取包含所需AD属性的签名令牌。 ADFS also provides the ability to federate with other STS eg Azure AD. ADFS还提供了与其他STS(例如Azure AD)联合的功能。
In terms of mobile, have a look at Azure AD Authentication Library for .NET . 在移动方面,请查看.NET的Azure AD身份验证库 。
With AD you have to do this all yourself. 使用AD,您必须自己完成所有操作。 It's up to you to get the AD attributes. 获取AD属性由您决定。 And you need to think about how to ensure security. 您需要考虑如何确保安全性。
With ADFS, you can synch your users to AAD and hence use your on-premise credentials in the cloud. 借助ADFS,您可以将用户同步到AAD,从而在云中使用内部部署凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.