Azure ACS替代ADFS移动身份验证
[英]Azure ACS alternative for ADFS mobile authentication
问题描述
I've been using azure ACS to authenticate my mobile clients with corporate ADFS to my asp.net server app. 
我一直在使用azure ACS来验证我的移动客户端与企业ADFS到我的asp.net服务器应用程序。 I managed not only to have it working nicely in the web browser but also on mobile apps (with webview to get a jwt token that would then be sent to the server to be validated and generate the app auth token). 我设法不仅让它在Web浏览器中运行良好,而且还运行在移动应用程序上(使用webview获取一个jwt令牌,然后将其发送到服务器进行验证并生成应用程序身份验证令牌)。
But unfortunately Azure ACS is being discontinued so I have to look for an alternative. 但不幸的是,Azure ACS正在停产,因此我不得不寻找替代方案。
Using this article I managed to have ADFS auth directly without any external service and that is a HUGE plus for me since some customers might have internet restrictions on their intranet. 使用这篇文章我设法直接使用ADFS auth,没有任何外部服务,这对我来说是一个巨大的优势,因为一些客户可能在他们的内部网上有互联网限制。
The problem begins when trying to also implement this for the native clients (Windows WPF, Android and iOS) since I can't find a solution for these cases. 当尝试为本机客户端(Windows WPF,Android和iOS)实现此问题时,问题就开始了,因为我无法找到针对这些情况的解决方案。
ADAL for Android and iOS seems to require Windows Server 2012 R2 . 适用于Android和iOS的ADAL 似乎需要Windows Server 2012 R2 。 This restriction is a big no no. 这种限制是一个很大的禁忌。
I found a 3rd party auth provider Auth0 but I really want to avoid external services. 我找到了第三方auth提供商Auth0,但我真的想避免外部服务。
There's also Azure B2C Authentication but it has the same issue of external services. 还有Azure B2C身份验证,但它有相同的外部服务问题。
Is there a way to implement what I had with Azure ACS directly on ADFS? 有没有办法直接在ADFS上实现Azure ACS的功能? What I need is a way to get a jwt token (or even SAML2 token) directly from ADFS. 我需要的是一种直接从ADFS获取jwt令牌(甚至SAML2令牌)的方法。
2 个解决方案
解决方案1
0 2017-05-30 02:37:22
ACS uses WS-Fed which is what that sample uses as the protocol. ACS使用WS-Fed,该样本用作协议。
Mobile devices use OAuth which is why you need ADFS 3.0 (limited support) or ADFS 4.0 (full support plus OpenID Connect). 移动设备使用OAuth,这就是您需要ADFS 3.0(有限支持)或ADFS 4.0(完全支持以及OpenID Connect)的原因。
If you just want ADFS to return a JWT token instead of a SAML one, refer to this article . 如果您只想让ADFS返回JWT令牌而不是SAML令牌,请参阅本文 。
Set-ADFSRelyingPartyTrust –TargetIdentifier 'urn:MyWebApp' –EnableJWT $true
However, that requires ADFS 3.0. 但是,这需要ADFS 3.0。
The other way is to use WCF. 另一种方法是使用WCF。 This invokes the WS-Fed active profile which returns a SAML token as a web service as per this article . 这将调用WS-联储活动的配置文件,它返回一个SAML令牌为Web服务按照此文章 。
解决方案2
0 已采纳 2017-05-31 13:06:46
I created a custom solution for my needs. 我为自己的需求创建了自定义解决方案。 Basically I implemented a solution akin to ACS flow. 基本上我实现了类似于ACS流程的解决方案。
The apps load a special login page on a webview that redirects the browser to the ADFS challenge page with a final callback to my webapp. 应用程序在webview上加载一个特殊的登录页面,将浏览器重定向到ADFS质询页面,最后回调到我的webapp。 There I notify the app with the token by the usage of notification javascript call like ACS does: 在那里,我通过使用通知javascript调用通知应用程序,如ACS所做的:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Loading...</title>
<script type="text/javascript">
try{
window.external.notify('@ViewBag.Result');
}
catch(err){
alert("Error ACS50021: window.external.notify is not registered.");
}
</script>
</head>
<body>
</body>
</html>
This way my app will not handle the user credentials directly and I no longer need external services :) 这样我的应用程序将无法直接处理用户凭据,我不再需要外部服务:)
And unlike ACS I have direct control on the last step and I can export the token via a redirect to a custom protocol that helps the implementation on iOS (on ACS we had to inject javascript to the page in the webview to achieve this). 与ACS不同,我可以直接控制最后一步,我可以通过重定向将令牌导出到自定义协议,帮助在iOS上实现(在ACS上我们必须将javascript注入到webview中的页面来实现这一点)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.