使用asp.net角色实现ADFS
[英]Implement ADFS with asp.net roles
问题描述
I have been working on a project where I have a simple web page integrated with AD FS. 
我一直在一个项目中,在该项目中,我有一个与AD FS集成的简单网页。 The authentication and website are working as expected. 身份验证和网站按预期工作。 I am using VS 2015. My goal is to limit what users can access at the site, "roles" from what I have read and researched. 我正在使用VS2015。我的目标是限制用户可以在网站上访问的内容,“限制”我所阅读和研究的内容。 If the logged on user is an admin, grant full access, but if logged on as a regular user limit what pages are available. 如果登录的用户是管理员,则授予完全访问权限,但是如果以普通用户身份登录,则限制了哪些页面可用。
Here is the scenario, go to my project URL which is redirected to AD FS sign on, after successful sign on you are at my website. 在这种情况下,成功登录到您的网站后,转到我的项目URL,该URL重定向到AD FS登录。 Not much to it. 没什么。
I have read so much online about different ways to achieve my goal that I am unsure which course is best or simplest to configure. 我已经在线阅读了很多有关实现目标的不同方法的信息,因此我不确定哪门课程最好或最简单地配置。 What are my best options here? 我最好的选择是什么? Keep in mind I have never developed in asp or any other code for that matter. 请记住,我从来没有用过ASP或任何其他代码开发过此内容。 Any help would be appreciated. 任何帮助,将不胜感激。
2 个解决方案
解决方案1
2 2017-04-04 13:30:55
There is policy based authorization that is probably the current best practice, however it sounds like role based authorization may be sufficient for you. 基于策略的授权可能是当前的最佳实践,但是听起来基于角色的授权可能已足够。
To perform role based authorization you'll first need to setup a claim rule in your ADFS for the Relying Party Trust of your application that sends the Role claim type " http://schemas.microsoft.com/ws/2008/06/identity/claims/role ". 要执行基于角色的授权,您首先需要在ADFS中为发送“角色声明”类型“ http://schemas.microsoft.com/ws/2008/06/identity ”的应用程序的依赖方信任关系设置声明规则/ claims / role ”。 The claim rule would look like this, 索赔规则如下所示:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);
Then when your roles arrive at your application in these claims, you'll process them with Windows Identity Foundation (WIF), which is integrated into .NET Framework 4.5+. 然后,当这些角色中的角色到达您的应用程序时,您将使用Windows Identity Foundation(WIF)处理它们,该身份已集成到.NET Framework 4.5+中。 I believe referencing System.Security.Claims is sufficient to get WIF in your project for processing roles. 我相信引用System.Security.Claims足以在您的项目中获得WIF来处理角色。 This "processing" however is done for you by WIF. 但是,此“处理”是由WIF为您完成的。
At this point you should be able to simply decorate controllers and methods like the following to perform role based authorization, with these Roles equating to the names of groups you are a member of in Active Directory. 此时,您应该能够简单地装饰如下的控制器和方法,以执行基于角色的授权,这些角色等同于您在Active Directory中所隶属的组的名称。
[Authorize(Roles = "Administrators")]
public class AdminController : Controller
{
}
解决方案2
1 2017-04-04 19:25:20
Just for interest, there are other ways to do this. 只是出于兴趣,还有其他方法可以做到这一点。
Once you have the roles, you can use IsInRole(role). 拥有角色后,就可以使用IsInRole(role)。
You can also use the web.config eg 您也可以使用web.config例如
<location path="Page.aspx">
<system.web>
<authorization>
<allow roles="Admin, OtherAdmin" />
<deny users="*" />
</authorization>
</system.web>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.