stackoom
  简体   繁体   中英

Single sign on with ADFS

 原文  2014-01-22 20:40:57       c#/ javascript/ single-sign-on/ claims-based-identity/ adfs

Question

I am looking for single sign on for my application which is built on javascript (no server side language).

Requirement:

  1. Agent log in to Windows (user integrated to Active directory)
  2. Open my web page
  3. Based on who logged in to windows, my application goes to AD and pull some user specify data (eg email, phone)

How shall I go about it?

As per my understanding I will require ADFS for this. So:

  1. User goes to my web page

  2. My web page calls some Web services or web application (which is build on c#)

  3. That will authenticate against AD FS and get claim

  4. Either get phone number and email in claim or get username and query AD for phone and email

  5. Return the data to my web page (build on javascript)

It seems there something wrong in my understanding!!

Please suggest more appropriate solution based on my requirement

2 answers

solution1
 3  2014-01-22 20:50:12

Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.

It is about returing a SAML token . The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.

But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.

solution2
 3  2014-01-23 16:48:15

ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.

You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/

Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):

https://docs.auth0.com/singlepageapp-tutorial

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ADFS 2.0 Single Sign Out Not Signing Out Single sign on - service for multiple organizations (ADFS and Form Auth mixed) ADFS Single Sign-On With Asp.Net Membership Use Single sign on with Box.com using company credential and ADFS 2.0 as Idp Single Sign On (SSO) via 3rd party ADFS using ASP.NET WebForms ADFS single-sign on with ASP.NET Core web app and .NET Core API single sign off Single Sign on for .NET Single Sign On with 3 applications Conceptual View of Single Sign On
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM