简体繁体 English

使用ADFS实施单点登录

[英]Implementing Single Sign on using ADFS

原文 2016-08-16 11:34:04 3 3 single-sign-on/ kerberos/ saml-2.0/ adfs2.0/ spring-security-kerberos

I am new to ADFS/SSO world and currently working on feature to implement Single Sign On (SSO) using AD FS for our Java based web application and Windows native agent. 我是ADFS / SSO领域的新手，目前正在研究使用AD FS为基于Java的Web应用程序和Windows本机代理实现单点登录（SSO）的功能。

Below are our requirement : 以下是我们的要求：

Users should be logged in automatically(Without asking for username/password) to our windows agent if they have logged into their system using their domain credentials. 如果用户已使用域凭据登录到系统，则应自动登录Windows代理（无需输入用户名/密码）。
The solution should work even if they are outside the corporate network 该解决方案即使在公司网络之外也应该有效

I have been reading on Internet but things are still confusing. 我一直在互联网上阅读，但情况仍然令人困惑。 I have following questions : 我有以下问题：

Will kerberos based authentication suits my requirement? 基于kerberos的身份验证是否适合我的要求？
Can It be integrated with AD FS? 可以与AD FS集成吗？ So that the solution will work even if the user is not in corporate network? 这样，即使用户不在公司网络中，该解决方案也能正常工作？
Or are there any other solutions? 还是有其他解决方案？ Our Product is Java based and uses Spring framework. 我们的产品基于Java，并使用Spring框架。

Thanks in Advance, Praveen 在此先感谢，Praveen

3 个解决方案

Users should be logged in automatically 用户应自动登录

This will work if the browser is correctly configured for IWA 如果为IWA正确配置了浏览器，这将起作用

The solution should work even if they are outside the corporate network 该解决方案即使在公司网络之外也应该有效

No - Kerberos won't work so you have to use FBA 否-Kerberos无法使用，因此您必须使用FBA

Can It be integrated with AD FS? 可以与AD FS集成吗？ So that the solution will work even if the user is not in corporate network? 这样，即使用户不在公司网络中，该解决方案也能正常工作？

Yes - you need to install ADFS WAP as well. 是的-您还需要安装ADFS WAP。 Use split DNS. 使用拆分DNS。 Internal users direct to ADFS == IWA. 内部用户直接访问ADFS == IWA。 External users direct to WAP = FBA. 外部用户直接转到WAP = FBA。

Our Product is Java based and uses Spring framework 我们的产品基于Java，并使用Spring框架

Use Spring SAML 使用Spring SAML

For desktop, you have a problem. 对于台式机，您有问题。 SAML relies on browser redirects so you need an embedded browser or something. SAML依赖于浏览器重定向，因此您需要嵌入式浏览器或其他工具。 You could use OpenID Connect / OAuth (REST API) but you have tagged the question with ADFS 2.0 which has no such support. 您可以使用OpenID Connect / OAuth（REST API），但已使用不支持此功能的ADFS 2.0标记了该问题。

In the Windows world (WPF, console via C# etc.), desktop connects to ADFS via WCF. 在Windows世界（WPF，通过C＃等的控制台）中，桌面通过WCF连接到ADFS。

Actually, in ADFS 2016, with Windows 10 domain joined devices, they can also be Azure AD registered. 实际上，在Windows 10域加入设备的ADFS 2016中，它们也可以通过Azure AD注册。 With device write back of this, there is a SSO artifact from ADFS that is integrated into Windows 10 desktop login. 借助设备的写回操作，ADFS中提供了一个SSO工件，该工件已集成到Windows 10桌面登录中。 In this world, you will also get desktop SSO from the extranet. 在这个世界上，您还将从Extranet获得桌面SSO。

For your Java app, you should use spring-webmvc-pac4j for Spring MVC or j2e-pac4j with only J2E filters (or at worst: spring-security-pac4j with Spring Security) + pac4j-saml for ADFS + pac4j-oauth if want to use the OAuth protocol + pac4j-oidc if you want to use the OpenID Connect protocol. 对于Java应用程序，应将Spring - MVC的spring-webmvc-pac4j或仅具有J2E过滤器的j2e-pac4j （或最糟糕的是，具有Spring Security的spring-security-pac4j ）和pac4j-saml用于ADFS + pac4j-oauth如果要使用OpenID Connect协议，请使用OAuth协议+ pac4j-oidc 。