多次验证Web应用程序多个azure广告?
[英]Authenticate web application agains multiple azure ad?
问题描述
I am thinking about developing in general a web application for enterprise. 
我正在考虑开发一般的企业Web应用程序。 What i am thinking about is following scenario: 我在想的是以下场景:
The application should be able to serve multiple customers (called multitenancy?). 该应用程序应该能够为多个客户提供服务(称为多租户?)。 That means that multiple companies could use the software for their employees. 这意味着多家公司可以将该软件用于其员工。
Each of them could have a own azure ad or maybe not. 他们每个人都可以拥有自己的天蓝色广告,也可能没有。 Therefore i would like to know if it is possible to authenticate against multiple/different azure ad's? 因此,我想知道是否可以对多个/不同的azure广告进行身份验证?
Lets assume that a user types in his email address user1@companyA.com then i would try to authenticate him against the ad whihc is configured behind the companyA.com ad, when someone tries to login with user361@companyB.com then i would try to authenticate against azure ad which is configured for companyB.com. 让我们假设用户输入他的电子邮件地址user1@companyA.com然后我会尝试根据在companyA.com广告后面配置的广告对他进行身份验证,当有人尝试使用user361@companyB.com登录然后我会尝试对针对companyB.com配置的azure广告进行身份验证。
Is this possible? 这可能吗? How could i do this? 我怎么能这样做?
1 个解决方案
解决方案1
8 已采纳 2017-02-18 15:32:39
That is the exact reason why multi-tenant applications exist. 这就是多租户应用程序存在的确切原因。 So a user from any Azure AD can sign in to your application. 因此,任何Azure AD中的用户都可以登录您的应用程序。
The way it works is like this: 它的工作方式是这样的:
- You define the application in your Azure AD tenant, including any permissions it might require (like ability to read data from the Azure AD Graph/access user's OneDrive through Microsoft Graph etc.) 您可以在Azure AD租户中定义应用程序,包括它可能需要的任何权限(例如,通过Microsoft Graph等从Azure AD Graph /访问用户的OneDrive读取数据的能力)
- When defining the app, set it as multi-tenant. 定义应用程序时,将其设置为多租户。
- Now when a user from another organization tries to sign in to your app, they will be presented with a consent screen. 现在,当来自其他组织的用户尝试登录您的应用时,系统会向他们显示同意屏幕。 This screen describes your application and the permissions it requires on their directory. 此屏幕描述了您的应用程序及其目录所需的权限。
- Once they give their consent for the permissions the app requires, a service principal is created for the app in their directory. 一旦他们同意应用程序所需的权限,就会在其目录中为应用程序创建服务主体 。 This principal is sort of like an account for the application that now exists in their directory . 此主体有点像现在存在于其目录中的应用程序的帐户。
- They will then be forwarded back to your app. 然后他们会转发回您的应用。
There are a couple important things to note on your app's side: 您的应用程序有几个重要的事项要注意:
- You must redirect users to login at
https://login.microsoftonline.com/common/oauth2/authorizeinstead of the tenant-specific endpoint.您必须将用户重定向到https://login.microsoftonline.com/common/oauth2/authorize而不是特定于租户的端点。 - With OpenIDConnect middleware in ASP.NET MVC, you must turn off issuer validation, and do it a bit manually (you have to check the tenant has actually signed up before) 使用ASP.NET MVC中的OpenIDConnect中间件,您必须关闭颁发者验证,并手动执行此操作(您必须检查租户之前是否已实际注册)
More about single vs multi-tenant: http://www.andrewconnell.com/blog/azure-ad-what%E2%80%99s-the-difference-between-single-vs-multi-tenant 有关单租户与多租户的更多信息: http : //www.andrewconnell.com/blog/azure-ad-what%E2%80%99s-the-difference-between-single-vs-multi-tenant
Example multi-tenant app (ASP.NET MVC): https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect 示例多租户应用程序(ASP.NET MVC): https : //github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.