使用ADFS身份验证以其他用户身份登录
[英]Login as different user using ADFS Authentication
问题描述
I am new to using ADFS in a web application and need some help. 
我是在Web应用程序中使用ADFS的新手,需要一些帮助。
I have created a simple mvc web application and seem to have ADFS working (when I access the website it authenticates via the adfs server and redirects to my site). 我已经创建了一个简单的mvc Web应用程序,并且似乎在运行ADFS(当我访问通过adfs服务器进行身份验证并重定向到我的网站的网站时)。 Now one of the features I want is for admins to be able to impersonate a user, on my site only so that they can see the site as if they were the impersonated user. 现在,我想要的功能之一是让管理员能够在我的网站上模拟用户,以便他们可以像模仿用户一样看到该网站。 If I login as John Smith, for example, then my HttpContext.Current.User is John Smith. 例如,如果我以John Smith身份登录,则我的HttpContext.Current.User是John Smith。 I was able to do this on my old site quite easily because I could just set the auth cookie. 我能够轻松地在旧站点上执行此操作,因为我可以设置auth cookie。
So the question is is there a way to do this? 那么问题是有办法做到这一点吗?
Some code that may help understand my setup. 一些代码可能有助于了解我的设置。
Startup.Auth.cs Startup.Auth.cs
public partial class Startup
{
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata
});
}
}
Any help would be appreciated. 任何帮助,将不胜感激。
2 个解决方案
解决方案1
1 2015-08-12 20:53:08
You can't really do that. 你真的不能那样做。 When ADFS authenticates a user it generates a signed token which is sent back to your web application. 当ADFS对用户进行身份验证时,它将生成一个已签名的令牌,该令牌将发送回您的Web应用程序。 The WsFederationAuthentication middleware receives this token, validates it and creates a claims principal from it. WsFederationAuthentication中间件接收此令牌,对其进行验证并从中创建声明主体。
Your cookie middleware serializes the claims principal into a cookie that travels back and forth between the application. 您的cookie中间件将索赔主体序列化为一个cookie,该cookie在应用程序之间来回移动。
To make work what you want, you would need to have ADFS issue a token for someone else. 为了使您想要的工作正常,您需要使ADFS为其他人发行令牌。 Without their credentials that will not work. 没有他们的凭据将无法正常工作。
Typically, you have your application change its look and feel based on what role a user is in. You can have ADFS do a role lookup against a SQL store and have it issue different role claims for a user. 通常,您可以让应用程序根据用户所处的角色来更改其外观。您可以让ADFS针对SQL存储执行角色查找,并让其向用户发出不同的角色声明。 That would allow you to experience the application the same way as someone else in the same role. 这样一来,您就可以像具有相同角色的其他人一样来体验该应用程序。
解决方案2
0 2017-02-17 02:22:51
Here's how I login as a different user when using ADFS: 这是使用ADFS时以其他用户身份登录的方式:
With ADFS 2.0 on Windows, you can configure your adfs server to use different authentication methods by changing the order of the local authentication types in the web.config file under c:\\windows\\inetpub\\adfs\\ls directory. 使用Windows上的ADFS 2.0,可以通过更改c:\\ windows \\ inetpub \\ adfs \\ ls目录下web.config文件中本地身份验证类型的顺序,将adfs服务器配置为使用不同的身份验证方法。
Method 1: When ADFS is authenticating using Windows Authentication 方法1:当ADFS使用Windows身份验证进行身份验证时
Open the browser using different credentials by holding SHIFT and right clicking the Browser link. 按住SHIFT键并右键单击“浏览器”链接,以使用不同的凭据打开浏览器。 Then access your app and you will be logged in with whatever creds the browser is running under. 然后访问您的应用程序,您将以运行浏览器的所有凭据登录。
or 要么
Log out and/or switch user on their workstation. 注销和/或切换用户在其工作站上。
Method 2: Change the ADFS server to use Forms based Authentication. 方法2:更改ADFS服务器以使用基于窗体的身份验证。 Log out of the application. 注销应用程序。
Sign out of the adfs server, as well, by going to the following link: 也可以通过以下链接退出adfs服务器:
https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0 HTTPS:// {DNS_name_of_RP_STS} /adfs/ls/?wa=wsignout1.0
Then, go back to the application and log in. 然后,返回到应用程序并登录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.