具有基于声明的身份验证和多个角色的Windows Identity Foundation
[英]Windows Identity Foundation with Claims based Authentication and Multiple Roles
问题描述
We are implementing a Secure Token Service (STS) which uses Windows Identity Foundation to provide Claims based authentication and authorisation. 
我们正在实施安全令牌服务(STS),该服务使用Windows Identity Foundation提供基于声明的身份验证和授权。
My question is really about best practices and how we should handle multiple roles for a given identity. 我的问题实际上是关于最佳实践以及我们应该如何处理给定身份的多个角色。
When creating claims for a user after they have successfully logged in, we need to be able to add the roles that the user is a member of to the claims before returning to the Relying Party. 在用户成功登录后为其创建声明时,我们需要能够在返回依赖方之前将用户所属的角色添加到声明中。
The Claim object does not accept a collection of strings so I'm wondering how this should be done. Claim对象不接受字符串集合,所以我想知道应该怎么做。 I can think of two ways: 我可以想到两种方式:
- I can add multiple Claims of type ClaimTypes.Role with different values and these can be read on the other side (I have tested and this seems to work without any errors) 我可以添加多个ClaimTypes.Role类型的声明具有不同的值,这些可以在另一侧读取(我已经测试过,这似乎没有任何错误)
- I could also put the roles into a single claim and delimit them by ; 我还可以将角色放在一个单独的声明中并用它们分隔; or something like that. 或类似的东西。
My question is really about which of the above is better, or am I missing something better? 我的问题是关于上面哪个更好,或者我错过了更好的东西? Neither solution is perfect as it will require parsing on the other side. 这两种解决方案都不是完美的,因为它需要在另一方面进行解析。
Thanks, John 谢谢,约翰
1 个解决方案
解决方案1
2 已采纳 2012-10-11 18:59:32
If you use ADFS as the STS, it inserts multiple roles into the claim 如果使用ADFS作为STS,它会在声明中插入多个角色
eg 例如
- ...claims/role Editor ...声明/角色编辑
- ...claims/role Approver ......声明/角色审批人
etc. 等等
The advantage of this is that WIF can then use the standard IsInRole constructs etc. 这样做的好处是WIF可以使用标准的IsInRole结构等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.