是否可以使用machinekey piggy带ADFS 3.0登录名?
[英]Is it possible to piggyback off of an ADFS 3.0 login using machinekey?
问题描述
I have three asp.net applications. 
我有三个asp.net应用程序。 Only one of them has a forms authentication login. 其中只有一个具有表单身份验证登录名。 I redirect anonymous users to that one login page for all three applications to login. 我将匿名用户重定向到该登录页面,以供所有三个应用程序登录。 Once they log in, they automatically redirected back to the application and page they were attempting to access. 登录后,他们会自动重定向回尝试访问的应用程序和页面。
I enabled this functionality by setting the same MachineKey in all three applications. 我通过在所有三个应用程序中设置相同的MachineKey来启用此功能。
Is there a way to do this for ADFS 3.0 WIF authentication as well? 是否也可以对ADFS 3.0 WIF身份验证执行此操作? It doesn't seem to work the same in my testing. 在我的测试中,它似乎无法正常工作。 When I log into the application that is wired up to ADFS, I still can't access the other two. 当我登录连接到ADFS的应用程序时,我仍然无法访问其他两个。
1 个解决方案
解决方案1
1 已采纳 2015-04-16 19:00:56
WIF and ADFS don't work the same way as traditional forms authentication. WIF和ADFS的工作方式与传统表单身份验证不同。 These technologies rely on issuing access tokens, and require that dependent applications (also known as Relying Parties, or RPs) configure a trust relationship with the token provider (AKA Identity Provider, or IP). 这些技术依赖于发布访问令牌,并要求从属应用程序(也称为依赖方或RP)配置与令牌提供者(AKA身份提供者或IP)的信任关系。 You can't share the cookie with MachineKey between apps that have not directly authenticated with an IP, and to be quite honest you don't want to. 您不能在尚未直接通过IP进行身份验证的应用程序之间使用MachineKey共享cookie,老实说,您不想这样做。
The typical web scenario (also known as Passive Federation ) is to have a separate application that functions as a Security Token Service (STS). 典型的Web场景(也称为Passive Federation )是拥有一个单独的应用程序,该应用程序充当安全令牌服务(STS)。 This application houses the Login.aspx page and is protected with Forms or Windows Authentication like you would find in a classic ASP.NET scenario. 此应用程序包含Login.aspx页,并像在经典ASP.NET方案中一样,受到Forms或Windows身份验证的保护。 When you attempt to access a web application that requires authentication, it needs to be set up to redirect you to the STS website, rather than handling it by itself. 当您尝试访问需要身份验证的Web应用程序时,需要将其设置为将您重定向到STS网站,而不是自己处理。 Once you log into the central STS, it will issue you a token that you then provide to applications to gain access. 登录到中央STS后,它将向您颁发令牌,然后将其提供给应用程序以获取访问权限。 If you use WIF properly, this is all handled behind the scenes and is just a matter of configuration. 如果正确使用WIF,则所有这些操作都是在后台进行的,仅是配置问题。
Each of your three web applications should be configured with a trust relationship to your IP. 您应该为三个Web应用程序中的每一个配置对IP的信任关系。 You said that you have a web application wired up to ADFS already, if that's via the proper trust relationship, then you should simply have to replicate that set up to your other 2 applications. 您说您已经有一个连接到ADFS的Web应用程序,如果这是通过适当的信任关系进行的,那么您只需要将该设置复制到其他2个应用程序即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.