简体繁体 English

与Active Directory集成的.NET应用程序的单点登录

[英]Single sign on for .NET application integrated with Active Directory

原文 2012-06-12 20:50:40 1 3 c#/ active-directory/ single-sign-on/ adfs2.0/ adfs

We have several customer using our web application (not intranet), some customers want their login should be integrated with their organizations Active Directory. 我们有几个客户使用我们的Web应用程序（而不是Intranet），一些客户希望他们的登录信息应与他们的组织Active Directory集成在一起。 They just want that user should login to their windows account and can access the web application without entering any user credentials. 他们只希望该用户登录他们的Windows帐户并可以访问Web应用程序而无需输入任何用户凭据。

I have read some articles regarding ADFS, but still not sure how to integrate that or implement it. 我已经阅读了一些有关ADFS的文章，但仍然不确定如何将其集成或实现。 Any proposed solution ? 有什么建议的解决方案吗？

Thanks! 谢谢！

3 个解决方案

If you develop a .NET based application, Microsoft provides a library called WIF , which is used to communicate with the AD FS in a +- comfortable way (configuration + little code adaptations to get the claims from the authentication message provided by the AD FS). 如果您开发基于.NET的应用程序，则Microsoft提供了一个名为WIF的库，该库用于以+-舒适的方式与AD FS通信（配置+少量代码修改以从AD FS提供的身份验证消息中获取声明））。

There are few protocols that both AD FS 2.0 and WIF support, to make the SSO work, the most common ones are (afaik) SAML 2.0 and WS-Federation. 为了使SSO正常运行，AD FS 2.0和WIF都支持很少的协议，最常见的协议是（afaik） SAML 2.0和WS-Federation。 Both are built on XML messages, but you are not required to know the details, if you use WIF. 两者都是基于XML消息构建的，但是如果您使用WIF，则不需要知道详细信息。

For WS - Federation, the WIF library provides a plugin for Visual Studio, which allows you to configure your site as the relying party with your AD FS. 对于WS-Federation，WIF库提供了Visual Studio插件，该插件使您可以将站点配置为AD FS的依赖方。

You CAN use the credentials within your DB to identify users, you can actually customize AD FS's entire login page and authentication events. 您可以使用数据库中的凭据来识别用户，实际上可以自定义 AD FS的整个登录页面和身份验证事件。 However the basic installation requires each user to be defined within your Active Directory. 但是，基本安装要求在Active Directory中定义每个用户。 You can also use your DB as a claims store (another data base AD FS will use to provide the relying applications with information about users). 您还可以将数据库用作声明存储（另一个数据库AD FS将使用该数据库向依赖的应用程序提供有关用户的信息）。 Note that if you intend to use an AD behind the AD FS, your AD FS service must be able to access it and LDAP query it, which I'm not sure will work for you, if your users login to their local domain that the AD FS is not familiar with. 请注意，如果您打算在AD FS后面使用AD，则您的AD FS服务必须能够访问它并通过LDAP查询它，如果您的用户登录到其本地域，则用户不确定该服务是否对您有用。 AD FS不熟悉。

IF you are not required to support industry SSO standard protocols (SAML 2.0 I've mentioned), I'm not sure implementing AD FS will be such a good solution. 如果您不需要支持工业SSO标准协议（我已经提到过SAML 2.0），那么我不确定实现AD FS是否会是一个很好的解决方案。 It forces you to work in a certain way, which is not always that comfortable. 它迫使您以某种方式工作，而这并不总是那么舒适。

Your question doesn't explicitly state that whether you are limited to using ADFS for implementing SSO. 您的问题并未明确指出您是否仅限于使用ADFS来实现SSO。 ADFS is certainly one way of doing this. ADFS当然是执行此操作的一种方法。 You may want to look at OpenID-LDAP _{^{(was at www.openid-ldap.org, but project is now defunct)}} and other identity providers as alternatives for implementing SSO. 您可能希望查看OpenID-LDAP _{^{（位于www.openid-ldap.org，但现在已取消项目）}}和其他身份提供者，以作为实现SSO的替代方法。

One alternative is to implement an OpenID provider that uses integrated windows authentication. 一种替代方法是实施使用集成Windows身份验证的OpenID提供程序。 They can install it in their DMZ exposing that to the internet, instead of ADFS. 他们可以将其安装在DMZ中，而不是ADFS公开到Internet。 It may allow single sign on from Internet Explorer and Chrome. 它可能允许从Internet Explorer和Chrome进行单点登录。

Implementing an OpenID provider is a non trivial matter. 实施OpenID提供程序并非易事。 You'll have to pay close attention to security. 您必须密切注意安全性。 Fortunally, there are a number of frameworks like DotNetOpenAuth that may help you. 幸运的是，有许多类似DotNetOpenAuth的框架可以为您提供帮助。

When using OpenID, your "cloud" application will act as an OpenID rely and get a claimed identifier amongst other attributes from the OpenID provider. 使用OpenID时，您的“云”应用程序将充当OpenID依赖，并从OpenID提供程序获取其他属性中的声明的标识符。 You should store this in your database to uniquely identify the user. 您应该将此存储在数据库中以唯一标识用户。 You may choose to implement the OpenID provider such that it can also provide your cloud application with the minimal information like email address, the person's name etc. 您可以选择实施OpenID提供程序，以便它还可以为您的云应用程序提供最少的信息，例如电子邮件地址，人员姓名等。

The benefit of using OpenID is that your "cloud" application can continue to support other well known OpenID providers like Google and Yahoo without much change. 使用OpenID的好处是，您的“云”应用程序可以继续支持其他知名的OpenID提供程序，例如Google和Yahoo，而无需进行太多更改。

In the end you'll need to ask your customers what technologies they are comfortable with. 最后，您需要询问客户他们喜欢什么技术。 You'll find that a lack of trust (a business trait) between organizations is more often than not the challenge rather than technology. 您会发现，组织之间缺乏信任（一种业务特质）通常不是挑战而是技术。

More detail needed as per comments. 根据评论需要更多细节。

There's a good source here: AD FS 2.0 Content Map . 这里有一个很好的资源： AD FS 2.0内容映射。

The "e-book" is here . “电子书”在这里。

I could imagine one scenario where you bind your cloud application to Azure ACS, your customers install ADFS on top of their AD and federate their ADFS with ACS. 我可以想象一种情况，您将云应用程序绑定到Azure ACS，客户在其AD上安装ADFS并将其ADFS与ACS联合。 That would give you the functionality you require. 这将为您提供所需的功能。

Update after comment: 评论后更新：

ADFS can only authenticate against AD. ADFS只能针对AD进行身份验证。 It cannot authenticate against a DB. 它无法针对数据库进行身份验证。 It can get attributes from a SQL Server DB which it can then transform to claims ie it can use a SQL DB for authorisation. 它可以从SQL Server数据库获取属性，然后将其转换为声明，即可以使用SQL DB进行授权。

If you want to authenticate against a SQL DB, you can two choices. 如果要针对SQL DB进行身份验证，可以有两种选择。

Create a custom STS 创建一个自定义STS
Use an existing "custom" STS like Identity Server which allows this functionality. 使用现有的“自定义” STS（例如Identity Server）来启用此功能。