stackoom
  简体   繁体   中英

asp.net mvc and azure active directory security group based authorization

 原文  2018-09-23 20:16:11       c#/ asp.net/ azure/ azure-active-directory

Question

I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. ie if user is part of that security group then only allow access to website otherwise access denied.

Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.

PS I am new to ASP.NET security

1 answers

solution1
 4 ACCPTED  2018-09-23 22:27:31

When a user signs into the application, incoming token from Azure AD will contain group claims , once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.

Here is a sample application that does authorization based on group claims -

Authorization in a web app using Azure AD groups & group claims

Group claims

在此输入图像描述

ADDITIONAL INFORMATION TO CONSIDER WHEN IMPLEMENTING AUTHORIZATION LOGIC

  1. You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles . Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC

    Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.

  2. In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens

在此输入图像描述

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure active directory with ASP.NET MVC ASP.NET MVC and WCF authentication/authorization against Active Directory with profiles in SQL server ASP.net Mvc 5 - Group policy in authorization from azure AD in MVC5 web app Azure active directory authentication in asp.net Active Directory Authentication on ASP.NET MVC Role based security asp.net mvc Asp.Net Role-based authentication using Security groups in Active Directory Can't update Azure Active Directory B2C user using GraphServiceClient - ASP.NET MVC Azure Active Directory won't logout using ASP.NET Core 2.1 MVC AcquireTokenByAuthorizationCode throw new exception in single tenant application using ASP.NET MVC using Azure Active Directory
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM