.NET 4.5 声明身份模型

Question

We have two ASP .NET web applications living on different servers. All authentication in our organization is done via Windows Authentication against Active Directory - so no username and password authentication in the web apps themselves.

We'd like to use claims based authorization and have these two web applications share information about what claims a given user has.

I'm trying to figure out how to go about this.

We have ADFS 2.0 and I know I can set up Federated Authentication using this...but where should my AD users' claims be stored and how are they hydrated and thus shared. Do the claims themselves end up in cookies after authentication?

Specifically, the scenario should be this:

• User navigates to web app 1
• Business decisions are made based on the ClaimsPrincipal's AuthorizationDecision ClaimsTypes
• Web app 1 redirects to web app 2 (or they navigate there directly later)
• Business decisions are made based on the same AuthorizationDecision ClaimsTypes' values
• Why? Because web app 1 and web app 2 both pull some common data from a third party data source - and they both need to know if the user is authorized to view certain entity types in that third party data.

Answer 1

Claims are filled from a store. Default store for ADFS is the AD. ADFS can get the content of your AuthorizationDecision from an AD attribute and/or from a Custom Attribute store: Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.IAttributeStore. This would provide a central location for configuration and administration.

The Apps could also query themselves and add to the claims. Different versions of the claims framework have slightly different interfaces. And yes, the apps store their claims in a cookie (each app has its own cookies). Unless you want smaller cookies, then the cookie only contains a reference. In this apps 'claims enrichment' scenario, each app needs the logic.

Both scenarios have advantages and disadvantages.