堆栈内存溢出
  简体   繁体   English

如何为 Sass 应用程序使用 Azure 广告多租户

[英]How to use Azure Ad multitenant for Sass Application

 原文  2022-08-30 08:17:44       c#/ azure/ asp.net-core/ azure-active-directory/ identity

问题描述

We want to build a Sass application.我们要构建一个 Sass 应用程序。 We separated individual servers/instances and DB for every customer.我们为每个客户分离了单独的服务器/实例和数据库。 Our sass model:我们的 sass model:

在此处输入图像描述

As part of our app, we want to use Azure Ad (Multitenant) for Identity management.作为我们应用程序的一部分,我们希望使用 Azure 广告(多租户)进行身份管理。 We have a few cases:我们有几个案例:

  • Our few customers don't have organizational email then how can we manage them in Azure ad (they have maybe Gmail)我们的少数客户没有组织 email 那么我们如何在 Azure 广告中管理它们(他们可能有 Gmail)
  • We decided to set application-level roles/permission for every API endpoint, for this scenario how to manage those roles/permission in the azure ad, Who is responsible for assigning those roles to every client's users after onboarding?我们决定为每个 API 端点设置应用程序级角色/权限,对于这种情况,如何在 azure 广告中管理这些角色/权限,谁负责在入职后将这些角色分配给每个客户的用户?
  • For every company, we have a users limit then how can we restrict a company's users (like only 5 users from a company able to use our application)对于每家公司,我们都有用户限制,那么我们如何限制公司的用户(比如公司中只有 5 个用户可以使用我们的应用程序)
  • We have a special case like module-based permission for our customers.我们为客户提供了一种特殊情况,例如基于模块的许可。 How can we manage this?我们该如何管理呢?

When an organization/company starts to use our application, If we want to give them an admin panel where they are able to manage their permission-related stuff, like adding or removing roles to their users, is it possible?当一个组织/公司开始使用我们的应用程序时,如果我们想给他们一个管理面板,让他们能够管理他们的权限相关的东西,比如向他们的用户添加或删除角色,这可能吗? (all roles/permissions are fixed from our side, they only assigned those roles to their users) (所有角色/权限在我们这边都是固定的,他们只将这些角色分配给他们的用户)

1 个解决方案

解决方案1
 0  2022-08-30 08:51:19

++Our few customers don't have organizational email then how can we manage them in Azure ad ++我们的少数客户没有组织 email 那么我们如何在 Azure 广告中管理它们

->You can invite them into the tenant, then they can use their gmail account to sign in the tenant. ->您可以邀请他们加入租户,然后他们可以使用他们的 gmail 帐户登录租户。

++set application-level roles/permission for every API endpoint... how to manage... responsible for assigning.. ++为每个API端点设置应用程序级角色/权限...如何管理...负责分配...

->I can't understand it but I think it's based on your requirement, user who has admin role may take the responsibility. ->我看不懂,但我认为这是基于您的要求,具有管理员角色的用户可能会负责。

++have a users limit then how can we restrict a company's users... ++有用户限制那么我们如何限制公司的用户...

->follow this document to set who can use the azure ad application you registered for the authentication to sign in the application. ->按照此文档设置谁可以使用您注册的azure广告应用程序进行身份验证登录应用程序。

++module-based permission for our customers ++为我们的客户提供基于模块的权限

-> role management? -> 角色管理?

++adding or removing roles to their users, is it possible ++向用户添加或删除角色,是否可能

-> if there's no admin panel for each company, then you may follow this answer to set role for users and validate if the access token contained correct role so that this user can access the page. -> 如果每个公司都没有管理面板,那么您可以按照此答案为用户设置角色并验证访问令牌是否包含正确的角色,以便该用户可以访问该页面。

Let's assume you had an application which has a frontend app as the client and an web api project as the server.假设您有一个应用程序,它有一个前端应用程序作为客户端,一个 web api 项目作为服务器。 Then in the front app, you need to integrate msal lib to let users sign in with their user@xx.onmicrosoft.com account or gmail account.然后在前面的app中,需要集成msal lib,让用户使用user@xx.onmicrosoft.com账号或者gmail账号登录。 Then the frontend app need to generate access token and call api via it.然后前端应用程序需要生成访问令牌并通过它调用 api。 The token should contain enough information so that the api can validate if the token had enough priority to get the data.令牌应包含足够的信息,以便 api 可以验证令牌是否具有足够的优先级来获取数据。 And in the frontend app, you also need to control the page direct via the access token or id token .而在前端应用程序中,您还需要通过access tokenid token直接控制页面。

Then here's the official sample document.然后这里是官方的示例文档。

In the end, azure ad provides user management and sign in feature.最后,azure 广告提供了用户管理和登录功能。 It also provides api management feature.它还提供 api 管理功能。 If you have any other questions, I recommend you creating a new question with more specific requirement.如果您有任何其他问题,我建议您创建一个具有更具体要求的新问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure AD多租户权限 - Azure AD multitenant permissions Azure AD 多租户应用程序 - 检查用户是否有权使用我的应用程序 - Azure AD multitenant app - check if user is authorized to use my app Azure AD多租户WebApi承载授权配置 - Azure AD Multitenant WebApi Bearer Authorization Configuration 如何使用 Azure AD 对同一应用程序的多个实例进行身份验证 - How to use Azure AD for authentication for multiple instances of same application 如何将 Azure AD 身份验证与 Redis 缓存结合使用 - How to use Azure AD authentication with Redis Cache 如何为Azure AD创建和使用刷新令牌 - How to create and use a refresh token for Azure AD 如何在桌面应用程序中从Azure AD 2.0 / MSAL注销? - How to sign out from Azure AD 2.0/MSAL in a desktop application? 如何在我的 web 表单应用程序中调用 Azure AD 服务 - how to call Azure AD service in my web form application 无法登录多租户应用程序 - Unable to login in multitenant application 如何使用Web应用程序/ WebAPI验证Azure AD中的用户凭据 - How to validate user credentials in Azure AD with Web application / WebAPI
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM