Azure Active Directory与自定义RBAC集成
[英]Azure Active Directory Integration with Custom RBAC
问题描述
We have our own web application which performs access control based on the username and associated roles defined locally and maintained in the local database 
我们有自己的Web应用程序,它根据本地定义的用户名和相关角色执行访问控制,并在本地数据库中维护
I need to integrate our application with "Azure AD" to avail single sign-on (SSO) so that with the same user-name , we can integrate and access other SaaS applications as well. 我需要将我们的应用程序与“Azure AD”集成以利用单点登录(SSO), 以便使用相同的用户名 ,我们也可以集成和访问其他SaaS应用程序。 I think I can achieve this with "Azure ADAL APIs" and "Graph APIs". 我想我可以通过“Azure ADAL API”和“Graph API”实现这一目标。
However, I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. 但是,我想了解如何为“Azure AD”定义自定义用户属性和角色,以便在身份验证时与我们的应用程序共享属性和角色。 This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally. 这是我们的Web应用程序在不在本地定义角色的情况下提供访问控制(基于用户ID和角色)所必需的。 I am not sure how to achieve this?. 我不确定如何实现这个目标?
Please let me know if it is feasible and what is the best option to achieve the same. 如果可行,请告诉我,实现相同目标的最佳选择是什么。
2 个解决方案
解决方案1
3 2018-09-19 08:36:42
I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication.
You need to look at the Application Roles related functionality with Azure AD to implement your custom RBAC. 您需要查看与Azure AD相关的应用程序角色功能,以实现自定义RBAC。 It should most probably provide you what you're looking for. 它应该最有可能为您提供您正在寻找的东西。
On a side note, I've seen cases where people chose to do some authorization logic based on which groups the users belonged to. 另外,我看过人们根据用户所属的群体选择做一些授权逻辑的情况。 This is just information and not something you need to do. 这只是信息,而不是您需要做的事情。
I'm sharing samples related to both, Roles and Groups in this answer, but definitely look at Application Roles first and once you understand them clearly, you can decide to use Application Roles, Groups or a combination of both Roles and Groups (very possible) for your Authorization strategy. 我在这个答案中分享了与角色和组相关的样本,但是首先要明确看看应用程序角色,一旦你清楚地理解它们,你就可以决定使用应用程序角色,组或角色和组的组合(很可能) )用于您的授权策略。
Application Roles 应用角色
Microsoft Documentation - Application Roles Microsoft文档 - 应用程序角色
Purpose - These roles are defined in the Application Manifest for an application that your organization is developing and that is registered in your Azure Active Directory. 用途 - 这些角色在应用程序清单中为您的组织正在开发并在Azure Active Directory中注册的应用程序定义。 These roles are very specific to your application and can be used in application's code to implement Authorization logic for the authenticated users. 这些角色非常特定于您的应用程序,可以在应用程序的代码中用于为经过身份验证的用户实现授权逻辑。
Sample Application (that uses this concept and does what you're looking for) - 示例应用程序 (使用此概念并执行您正在寻找的内容) -
Authorization in a web app using Azure AD application roles & role claims 使用Azure AD应用程序角色和角色声明在Web应用程序中进行授权
Quick Explanation 快速解释
1) Once you register your application with Azure AD, you can define custom roles (specific to your application) by editing the application manifest (JSON) in Azure AD. 1)通过Azure AD注册应用程序后,您可以通过编辑Azure AD中的应用程序清单(JSON)来定义自定义角色(特定于您的应用程序)。
Here's a sample JSON of what application role definition would look like: 以下是应用程序角色定义的示例JSON:
"appRoles":
[
{
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"value": "SurveyCreator"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Administrators can manage the Surveys in their tenant",
"displayName": "SurveyAdmin",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"value": "SurveyAdmin"
}
]
2) You will be able to assign these roles to Users/Groups/applications through Azure Portal or programmatically. 2)您将能够通过Azure门户或以编程方式将这些角色分配给用户/组/应用程序。 (you could control the allowed member types for roles) (您可以控制角色允许的成员类型)
3) Now when the end users sign in to your application, the incoming Azure AD token will provide you a collection of role claims (based on whatever roles are assigned to the user) and you can take authorization decisions in your application. 3)现在,当最终用户登录到您的应用程序时,传入的Azure AD令牌将为您提供一组角色声明(基于分配给用户的任何角色),您可以在应用程序中执行授权决策。
if (context.User.HasClaim(ClaimTypes.Role, "Admin")) { ... }
Groups 组
Groups can have multiple users or other groups as members. 组可以有多个用户或其他组作为成员。 Again management of groups is possible through Azure Portal or programmatically. 再次通过Azure门户或以编程方式管理组。
NOTE : Groups are totally independent of your application, ie Azure AD groups can and do exist to serve a purpose of grouping members even without your application. 注意 :组完全独立于您的应用程序,即Azure AD组可以并且确实存在,即使没有您的应用程序也可以用于对成员进行分组。 Application Roles on the other hand are very specific to your application, they don't mean much to anyone except your application. 另一方面,应用程序角色非常适合您的应用程序,除了您的应用程序之外,它们对任何人都没有多大意义。
Sample app which makes decisions based on Groups 基于组做出决策的示例应用程序
Authorization in a web app using Azure AD groups & group claims 使用Azure AD组和组声明在Web应用程序中进行授权
解决方案2
0 2018-09-19 19:25:15
You've marked this SAML so I assume you want to do this via a custom SAML application? 您已标记此SAML,因此我假设您要通过自定义SAML应用程序执行此操作?
If so, you need to provision Azure AD via the Graph API from your custom repository. 如果是这样,您需要通过自定义存储库中的Graph API配置Azure AD。
If Azure AD does not have the attribute you need, create an extension attribute . 如果Azure AD没有您需要的属性,请创建扩展属性 。
In the SAML connection, you can configure what attributes are passed (this includes roles). 在SAML连接中,您可以配置传递的属性(包括角色)。
Note: the ADAL libraries are for OpenID Connect, not for SAML. 注意: ADAL库适用于OpenID Connect,不适用于SAML。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.