跨程序发送自定义ACS声明的最佳方法是什么?
[英]What is the best way to send custom ACS Claims across programs?
问题描述
I've got two programs, a "login" program that uses the a foreign STS (Google, Facebook, etc.) to log the user in and returns the type of security access that user has. 
我有两个程序,一个“登录”程序,该程序使用外部STS(Google,Facebook等)来登录用户并返回该用户具有的安全访问类型。 I then want to send that information off to a separate program that takes that security access and gives the user privileges based on that. 然后,我想将该信息发送到一个单独的程序,该程序对该安全性进行访问并根据此信息为用户提供特权。
What is the best way to send that information across? 传送信息的最佳方法是什么?
I've read some things about the Custom Authorization Manager Service, but I'm not sure if that is what I need here. 我已经阅读了有关“自定义授权管理器服务”的一些信息,但是我不确定这是否是我所需要的。 Is it possible to just POST the security info across and the web.config turns that into a claim? 是否可以只发布安全信息,而web.config会将其转化为声明? Should I be making a new token and sending that? 我应该制作一个新令牌并发送该令牌吗?
I am hopelessly lost. 我无可救药地迷路了。 If someone could provide a helpful tutorial somewhere on the web, that would be immensely appreciated (as my googling has only turned up long-winded articles that either do much more than I need or much less). 如果有人可以在网络上的某个地方提供有用的教程,那将不胜感激(因为我的谷歌搜索只发现了一些冗长的文章,它们要么做得比我需要的要多,要么就比我要少得多)。
Specific code snippets would make my day. 特定的代码片段会让我高兴。
Thanks! 谢谢!
EDIT: I am trying to avoid making the login system into an STS. 编辑:我试图避免使登录系统成为STS。 But I am starting to feel I need to. 但是我开始觉得自己需要。 Is there some halfway point between STS and relying party? STS和依赖方之间是否有中间点? Like a relying party that can generate its own claims? 像可以产生自己要求的依赖方一样?
1 个解决方案
解决方案1
1 已采纳 2012-02-28 18:06:30
You have several options: 您有几种选择:
The simplest one is the ClaimsAuthorizationManager, which might be what you're looking for.
最简单的一个是ClaimsAuthorizationManager,它可能就是您想要的。 http://msdn.microsoft.com/en-us/library/ee748497.aspx The CAM is a step in the ASP.NET authentication pipeline that runs right after your application has validated the security token incoming from ACS. http://msdn.microsoft.com/zh-cn/library/ee748497.aspx CAM是ASP.NET身份验证管道中的一个步骤,该步骤将在您的应用程序验证了从ACS传入的安全令牌后立即运行。 Here is where you define your custom authorization logic, and you can add additional claims to the IClaimsPrincipal that gets delivered to yor application. 在这里定义自定义授权逻辑,并且可以向传递给应用程序的IClaimsPrincipal添加其他声明。 Instead of centralizing authorization logic in a service, you could for example implement your CAM in a library that's shared accross various relying party applications. 例如,您可以将CAM实施在各个依赖方应用程序共享的库中,而不是将授权逻辑集中在服务中。 If your authorization rules are simple, ie, you're not querying any external user attribute store, then one option would be to use ACS claims transformation rules to do this.
如果您的授权规则很简单,即您不查询任何外部用户属性存储,则一种选择是使用ACS声明转换规则来执行此操作。 Then your applications would consume the token issued by ACS directly. 然后,您的应用程序将直接使用ACS发行的令牌。 http://msdn.microsoft.com/en-us/library/gg185955.aspx http://msdn.microsoft.com/en-us/library/gg185955.aspx If however your architecture absolutely requires a separate login service that consumes tokens and populates new tokens with user attributes and such, then it will need to be an STS.
但是,如果您的体系结构绝对需要使用令牌并使用用户属性填充新令牌的单独登录服务,则它将必须是STS。 Building your own STS can be tricky, but there are prefabricated STSes available to do this. 构建自己的STS可能很棘手,但是可以使用预制的STS。 If your applications live in an AD domain for example, ADFS 2.0 would be an ideal choice because of it's close integration with AD and ACS, and it's powerful claims transformation capabilities. 例如,如果您的应用程序位于AD域中,则ADFS 2.0将是一个理想的选择,因为它与AD和ACS紧密集成,并且具有强大的声明转换功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.