堆栈内存溢出
  简体   繁体   English

在已部署到Azure的Web应用程序中确定登录的用户是否是AD组的成员

[英]Determine if a logged in user is a member of an AD group, in a web app deployed to Azure

 原文  2016-02-18 23:53:39       c#/ .net/ azure/ wif/ azure-active-directory

问题描述

I am using Windows Identity Framework for authentication in my web app deployed to Azure. 我在部署到Azure的Web应用程序中使用Windows Identity Framework进行身份验证。 When I run the app locally, I can use PrincipalContext to see if the user is in a group: 在本地运行应用程序时,可以使用PrincipalContext查看用户是否在组中: 

        PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAIN");

        // find a user
        UserPrincipal user = UserPrincipal.FindByIdentity(ctx, username);

        // find the group in question
        GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "GROUP-NAME");

        if (user != null)
        {
            // check if user is member of that group
            return user.IsMemberOf(group);                
        }

This works locally, but does not work in the app deployed to Azure. 这在本地有效,但在部署到Azure的应用程序中无效。 I'm not sure how to check this information now. 我不确定现在如何检查此信息。 I've seen that the LDAP protocol is not supported in Azure, so that's why it's not working, but I'm not sure the correct way to try and accomplish this now. 我已经看到LDAP协议在Azure中不受支持,因此这就是它不起作用的原因,但是我不确定现在尝试完成此操作的正确方法。 I've read a bit about Group Claims, Application Roles, and the Azure Graph API, but they either seem like overkill, or not the direction I should take. 我已经阅读了一些有关组声明,应用程序角色和Azure Graph API的信息,但是它们看起来像是过大了,或者不是我应该遵循的方向。 Any help? 有什么帮助吗?

1 个解决方案

解决方案1
 2 已采纳  2016-02-19 06:31:33

As you already discovered, that approach does not work in Azure AD - your app is not running in your intranet hence those calls cannot take place. 正如您已经发现的那样,该方法在Azure AD中不起作用-您的应用程序未在Intranet中运行,因此无法进行这些调用。 The standard solution to this is to ensure that Azure AD includes groups in the token sent at sign in time, see this sample . 对此的标准解决方案是确保Azure AD在登录时发送的令牌中包括组,请参见此示例

There are various attention points you need to keep in mind - the main one is that using WIF forces you to rely on WSFederation, and that isn't handy in case you have too many groups: Azure AD avoids issuing large tokens by expecting you to call back to the Azure AD Graph API and retrieve the groups after the fact, but that operation requires more modern protocols like OpenID Connect (as shown in the sample I linked to). 您需要牢记各种注意点-主要的一点是,使用WIF会迫使您依赖WSFederation,如果您有太多的组,这就不方便了:Azure AD通过期望您避免发行大型令牌回调到Azure AD Graph API并在事后检索组,但是该操作需要更现代的协议,如OpenID Connect(如我链接到的示例所示)。

The other challenge is that the groups in the token are represented by their SIDs and not by their names, for security reasons - hence you need to know the SIDS you want to validate against (or call the Graph to retrieve their names). 另一个挑战是,出于安全原因,令牌中的组由其SID而不是其名称表示-因此,您需要知道要针对其进行验证的SIDS(或调用图来检索其名称)。

HTH 高温超导

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 .Net Core Azure AD Cloud 如何登录用户并访问他们的 Azure AD 安全组以确定他们是否在一个组中 - .Net Core Azure AD Cloud how to get logged in user and access their Azure AD Security Groups to determine if they are in a group 在 azure web 应用程序中显示 AD 组中的用户列表 - display list of user in a AD group in azure web app 如何确定用户是Azure Active Directory中成员的组 - how to determine which group a user is a member of in azure active directory 确定AD中的计算机是否有用户登录 - Determine if a computer in AD has a user logged in Azure AD Graph API将成员添加到组 - Azure AD Graph API add member to group 使用AD身份验证从Azure Web App获取用户 - Obtain user from Azure Web App using AD authentication 确定用户是否在.NET 4.0应用程序的AD组中 - Determine if user is in AD group for .NET 4.0 application 如何测试AD用户是否是本地组的成员 - How to test if AD User is a member of a local group Web 应用程序在运行本地主机时获取登录用户名,但在部署时不获取 - Web App picks up logged in user name when running localhost but not when deployed 如何确定帐户的类型(AD 用户与 AD 组)? - How to determine the type (AD User vs. AD Group) of an account?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM