简体繁体 English

使用ASP.Net Web应用程序单点登录

[英]Single sign on with ASP.Net Web Application

原文 2009-09-02 08:49:59 6 3 c#/ asp.net/ iis/ single-sign-on

Client requires major applications to provide users with “single sign on” authentication feature based on the corporate solution (Active Directory). 客户端需要主要的应用程序才能为用户提供基于公司解决方案（Active Directory）的“单点登录”身份验证功能。 This means the business application trusts the credentials provided by the browser and does not request user to provide standard login/password pair. 这意味着业务应用程序信任浏览器提供的凭据，并且不请求用户提供标准的登录名/密码对。 The server/browser trust is built on Windows Integrated Authentication mechanism. 服务器/浏览器信任建立在Windows集成身份验证机制上。

Ours is an ASP.Net Web application on dot net framework 2.0 hosted on IIS 5.We need to implement the SSO feature.How do we do it? 我们的是基于IIS 5托管的基于dot net framework 2.0的ASP.Net Web应用程序。我们需要实现SSO功能，我们该怎么做？

3 个解决方案

I'm pretty sure this is the same requirements that almost all intranet apps follow. 我很确定这几乎是所有Intranet应用程序都遵循的要求。

If you just enabled Windows Integrated Logins in IIS, then you'll be set for the #1 item. 如果您刚刚在IIS中启用了Windows Integrated Logins，则将被设置为第一项。

I don't know if #2 is even possible, because it conflicts with your other requirement. 我什至不知道＃2是否可能，因为它与您的其他要求冲突。 The browser only passes the locally logged in user's credentials (as required by #1). 浏览器仅传递本地登录用户的凭据（按＃1的要求）。 If you built a web form to authenticate via AD, then you would be in violation of the requirements listed in your narrative/paragraph. 如果您构建了一个通过AD进行身份验证的Web表单，那么您将违反叙述/段落中列出的要求。

What do your clients think #2 really means? 您的客户认为＃2的真正含义是什么？ What do they want here? 他们在这里想要什么？ A way to log in as a different user? 一种以其他用户身份登录的方法？ They can just log off the computer and log in as the other user. 他们可以注销计算机并以其他用户身份登录。

In general, SSO requirements are best addressed by Claims-based protocols such as WS-Federation or SAML 2.0. 通常，通过基于声明的协议（例如WS-Federation或SAML 2.0）可以最好地满足SSO要求。 In principle, you can implement these protocols yourself since they are open standards, but it requires a lot of specialist knowledge. 原则上，您可以自行实现这些协议，因为它们是开放标准，但是它需要大量专业知识。

The new Windows Identity Foundation (formerly known as Geneva framework) contains protocol implementations that can enable SSO scenarios, although it will require you to upgrade your platform. 新的Windows Identity Foundation（以前称为Geneva框架）包含可以实现SSO方案的协议实现，尽管它需要您升级平台。

Use Custom Forms Auth instead that wont ask user to enter ID and password. 请改用“自定义表单身份验证”，它不会要求用户输入ID和密码。

Prerequisites: 1> Database table having user details such as email, role etc 2> Enterprise active directory where user profiles are stored 3> Write a VBCOM or ActiveX or other components that can read user's domain and name from the windows machine through browser. 先决条件：1>具有用户详细信息（例如电子邮件，角色等）的数据库表2>存储用户配置文件的企业活动目录3>编写VBCOM或ActiveX或其他组件，这些组件可以通过浏览器从Windows计算机读取用户的域名和名称。

Steps: On pageload for all the forms call the component<3> to connect to Active Directory<2>. 步骤：在所有表单的页面加载时，调用component <3>以连接到Active Directory <2>。 That method should read current user's name, domain from windows system. 该方法应从Windows系统读取当前用户的名称，域。 Search AD with these details. 使用这些详细信息搜索广告。 If exists then query and extract the email address or whichever is the unique key in the AD user profile. 如果存在，则查询并提取电子邮件地址或AD用户配置文件中的唯一密钥。 Using this key query the database<1> where you stored application specific user details such as email, roles. 使用此键查询数据库<1>，您在其中存储了应用程序特定的用户详细信息，例如电子邮件，角色。 If user email from AD match with email in Table then grant the user appropriate rights else deny access if user does not exist or role is null/restricted. 如果来自AD的用户电子邮件与表中的电子邮件匹配，则授予用户适当的权限，否则，如果用户不存在或角色为空/受限，则拒绝访问。 If valid user then create a cookie that is encrypted and can be read by other applications to really implement any sort of SSO. 如果是有效用户，则创建一个加密的cookie，其他应用程序可以读取它以真正实现任何类型的SSO。