通过 ADFS 对 web 服务的用户进行身份验证
[英]Authenticate user of web service via ADFS
问题描述
I was hoping that someone could confirm my understanding (or lack thereof.) of ADFS with respect to WCF.
我希望有人能证实我对 WCF 的 ADFS 的理解(或缺乏)。
I've even drawn a pretty diagram.我什至画了一个漂亮的图表。
"Bob" uses a web app, which is hosted on Client's domains. “Bob”使用托管在客户域上的 web 应用程序。 Client authenticates Bob via AD.客户端通过 AD 对 Bob 进行身份验证。 However the web app uses a WCF service developed and hosted on Supplier.然而,web 应用程序使用在供应商上开发和托管的 WCF 服务。
There has been trust established between Client and Supplier.客户和供应商之间建立了信任。
My question - when the Web App uses the WCF Service, I would like the WCF service to re-authenticate "Bob", and the WCF service can then use the Claims returned by the ADFS server which is on the client. My question - when the Web App uses the WCF Service, I would like the WCF service to re-authenticate "Bob", and the WCF service can then use the Claims returned by the ADFS server which is on the client.
Is this picture right?这张图对吗?
1 个解决方案
解决方案1
3 已采纳 2011-07-06 18:18:55
Almost.几乎。 Move the arrows between the Web service and ADFS (the IP-STS) to be between the Web app and ADFS.将 Web 服务和 ADFS(IP-STS)之间的箭头移动到 Web 应用程序和 ADFS 之间。 Then, the "Bob" that it will send to the Web service is a token that is signed by ADFS containing claims about Bob.然后,它将发送到 Web 服务的“Bob”是一个由 ADFS 签名的令牌,其中包含关于 Bob 的声明。 The Web service will check this signature, and, if it matches, the claims will be considered trustworthy. Web 服务将检查此签名,如果匹配,则认为声明是可信的。
Typically, for cross orgranizational use cases like this, the supplier would also have an STS (an RP-STS).通常,对于像这样的跨组织用例,供应商也会有一个 STS(RP-STS)。 Trust would be established between the STSs.将在 STS 之间建立信任。 Then, local applications (eg, the Web app and service in this drawing) only need to trust their local STS.然后,本地应用程序(例如,此图中的 Web 应用程序和服务)只需要信任其本地 STS。 This avoids a fully connected graph of trust relationships.这避免了信任关系的完全连接图。
HTH! HTH!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.