asp.net mvc网站的Azure活动目录用户组标识
[英]azure active directory user group identification for asp.net mvc website
问题描述
I'm actually making a website, in asp.net MVC, witch is accessible with azure active directory account sign-in. 
我实际上是在asp.net MVC中制作一个网站,可以通过azure活动目录帐户登录来访问witch。 This part works great. 这部分效果很好。 But now, I want to make roles based on who is signed-in so they can access to different content. 但是现在,我想根据登录者来创建角色,以便他们可以访问不同的内容。
I made a group in my azure active directory for admins and I tried this solution but it's not really working well : 我在我的azure活动目录中为管理员创建了一个小组,并尝试了此解决方案,但效果并不理想:
if (principal.Claims.Any(x => x.Type == "groups" && x.Value == "id of the admin group")){ give admin rights}
Did someone knows a better solution or what's wrong with mine ? 有人知道更好的解决方案,或者我的问题是什么?
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
0 2016-03-21 17:41:18
I'm assuming you've created an Azure AD "Application" that you're using. 我假设您已经创建了正在使用的Azure AD“应用程序”。
The trick is that you need to modify the "Manifest" for the application to allow you to query for groups. 诀窍是您需要修改应用程序的“清单”以允许您查询组。
There isn't a UI for this in the portal, you have to just download the manifest, make the change, then upload it. 门户中没有用于此的UI,您只需要下载清单,进行更改然后上载即可。 Clunky at best. 充其量是笨拙的。
You want to find the key "GroupMembershipClaims" and set it to "SecurityGroup". 您想找到键“ GroupMembershipClaims”并将其设置为“ SecurityGroup”。 If you set it to all then you'll get email groups as well. 如果将其全部设置,那么您还将获得电子邮件组。 The problem here is that you get a list of all the users groups and all the groups those groups belong to. 这里的问题是您获得了所有用户组以及这些组所属的所有组的列表。 In a large company, that could be a lot! 在一家大公司中,可能很多!
You next have to call back to get the group info which means getting a token. 接下来,您必须回叫以获取组信息,这意味着获得令牌。
If you generated the MVC app in Visual Studio and told it you wanted to use Azure AD it sticks in much of the plumbing, but there is a bug in the template. 如果您在Visual Studio中生成了MVC应用,并告诉您要使用Azure AD,则它会占用很多管道,但是模板中存在错误。 When it tries to persist the tokens, it will always retrieve the first token in the list, not the most recent . 当尝试保留令牌时,它将始终检索列表中的第一个令牌,而不是最新的令牌。 That means your demo works today, but fails tomorrow... 这意味着您的演示今天可以运行,但明天会失败...
You can search for info on the ADAL library for more info. 您可以在ADAL库中搜索信息以获取更多信息。 I recommend reading Modern Authentication with Azure Active Directory for Web Applications by Vittorio Bertocci for real insights into how it all works. 我建议阅读Vittorio Bertocci撰写的《使用Web应用程序的Azure Active Directory for Web Active Directory进行现代身份验证》,以获取有关其全部工作原理的真知灼见。
解决方案2
0 2016-03-22 07:45:27
You could refer to some tutorials https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure , https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-powershell/ , help you to manage access. 你可以参考一些教程https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure , https://azure.microsoft.com/en-us/documentation/ articles / role-based-access-control-manage-access-powershell / ,可帮助您管理访问。
Assign role to user/group/app... 将角色分配给用户/组/应用...
Keep contact if you have any questions. 如有任何疑问,请保持联系。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.