使用ADFS和WIF更新声明 [英] Updating claims with ADFS and WIF
问题描述
想象一下以下情况。
用户访问站点A(ASP.NET),使用ADFS进行身份验证并获得一组声明。在某些时候,他们需要注册其他服务,以便将它们重定向到供应站点B(ASP.NET)(也使用ADFS – SSO),在此通过输入相关详细信息进行注册,然后重定向回A。 / p>
但是,部分供应过程将属性添加到存储库(通常为AD),我们希望这些属性构成其声明集的一部分。
要执行此操作,他们必须重新进行身份验证?通过强制联合注销来执行此操作的最佳方法是吗?这将由站点A或站点B完成吗?
如果他们是使用WIA的内部用户,他们将在幕后登录,整个过程将是透明的。
如果他们是使用FBA的外部用户,该怎么办?他们不需要再次登录吗?鉴于这不是非常令人满意的用户体验,有没有解决的办法?
那里有一些参考,涉及将签名令牌作为cookie写入到客户端浏览器,然后由STS稍后从Cookie验证SSO令牌。
看看我写的有关类似情况的博客文章:
在这种情况下,用户在本地注销,然后重定向回ADFS被重新登录,因为它们的ADFS cookie仍然有效。这个小跃点对用户几乎是透明的,并将更新声明。
Imagine the following scenario.
User visits a site A (ASP.NET), authenticates using ADFS and gets a set of claims . At some point, they need to register for an additional service so they are redirected to a provisioning site B (ASP.NET) (also using ADFS – so SSO) where they register by entering their relevant details and are redirected back to A.
However, part of the provisioning process added attributes to a repository (normally AD) and we would like those attributes to form part of their claim set.
To do this they have re-authenticate? Is the best way to do this by forcing a federated logout? Would this be done by site A or site B?
If they are internal users using WIA, they would be logged in "behind the scenes" and the whole process would be transparent.
What if they are external users using FBA? Wouldn’t they have to log-in again? Given that this is not a very satisfactory user experience, is there a way around this?
There are some references out there that talk about writing a signed token as a cookie to the client browser and then the STS later authenticating the SSO token from the cookie. How would you do this with ADFS?
Have a look at the blog post I wrote about a similar scenario:
Refreshing Claims in a WIF Claims-Aware Application
In this case, the user is logged out locally but then redirected back to ADFS where they are "signed back in" since their ADFS cookie is still valid. This little hop is mostly transparent to the user and will update the claims.
这篇关于使用ADFS和WIF更新声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
