使用本地ADFS STS在ASP.NET应用程序和Office365之间进行单点登录 [英] Single sign on between ASP.NET app and Office365 with on-premise ADFS STS
问题描述
我正在构建一个ASP.NET Web应用程序,该应用程序使用Windows Identity Foundation对用户进行身份验证.
I'm building an ASP.NET web app that authenticates users with Windows Identity Foundation.
该组织有一个本地ADFS STS.他们的Office365通过Microsoft Federation Gateway使用本地STS进行身份验证.新的网络应用程序还将通过WIF对本地STS进行身份验证.
The organization has an on-premise ADFS STS. Their Office365 authenticates through Microsoft Federation Gateway with the on-premise STS. The new web app will also authenticate against the on-premise STS with WIF.
我可以在新应用程序和Office365环境之间建立静默单点登录吗?因此,用户登录到Web应用程序后就不必登录Office365,反之亦然.
Can I establish silent single sign on between the new app and the Office365 environment? So the user will not have to log into Office365 once he is logged into the web app and vice versa.
推荐答案
是的,您应该可以通过将ASP.NET应用程序直接与Office365联合来实现此目的.您可能已经知道,通常的工作方式是在Office AD上同步到Office365,并且与ADFS服务器建立信任关系.登录Web应用程序时,用户将被重定向到Office365以键入其UPN(通常是电子邮件地址). Office365使用它来确定将您重定向到哪个本地ADFS服务器.
Yes, you should be able to accomplish this by federating your ASP.NET application with Office365 directly. As you probably already know, typically the way this works is you have Office365 synced to on prem AD, and you have a trust set up with the on-prem ADFS server. When you're signing in to your web application the user gets redirected to Office365 to type in their UPN (typically the email address). Office365 uses that to figure out which on-prem ADFS server to redirect you to.
如果您是从域内登录的,则可以立即通过Windows集成身份验证进行身份验证. ADFS将您重定向到Office365以建立会话,并且Office365将您登录到应用程序本身.如果您不在域中,则需要设置ADFS外部代理.在此,此特殊的ADFS代理代替Windows集成身份验证,将提示用户输入公司凭据,然后以与以前相同的方式重定向回Office365.
If you're logging on from within the domain, you get authenticated right away via windows integrated auth. ADFS will redirect you back to Office365 to establish a session, and Office365 will log you in to the application itself. If you're outside of the domain, you'll need an ADFS external proxy set up. There, instead of windows integrated auth, this special ADFS proxy will prompt the user for corporate credentials, and then redirect back to Office365 in the same way as before.
这是一张很好的白皮书,详细介绍了所有这些内容:
Here's a nice whitepaper that explains all of this in more detail:
http://www.microsoft.com/download/en/details.aspx?id = 28971
这篇关于使用本地ADFS STS在ASP.NET应用程序和Office365之间进行单点登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
