如何使用Azure AD对同一应用程序的多个实例进行身份验证 [英] How to use Azure AD for authentication for multiple instances of same application
问题描述
我是Azure Active Directory身份验证的新手,我试图弄清楚如何实现Azure Active Directory身份验证的要求.
我们有同一个Web应用程序的多个实例.即,每个客户端有一个虚拟目录和一个数据库.不允许一个实例中的用户访问该应用程序的其他实例.我们是否可以使用其中包含所有用户的单个Active Directory和单个Azure AD应用程序来实现此目的,还是需要为每个客户端创建Active Directory和单独的Azure AD应用程序?该限制将通过应用程序代码实现,但是有什么方法可以对用户进行分组,以便我们可以在身份验证响应中获得一些价值,以识别用户可以访问的实例?
1.我们有同一个Web应用程序的多个实例.即,每个客户端有一个虚拟目录和一个数据库.用户来自一个实例不应被允许访问该实例的其他实例应用.我们可以使用单个Active Directory与里面的所有用户?
是的,您可以这样做.您可以为Azure SQL Server中的每个数据库创建Azure AD组,并将SQL角色分配给该组.然后,如果要允许一个用户访问一个数据库,只需要将用户添加到组中.有关更多详细信息,请参阅
添加应用角色
-
选择要在其中定义应用程序角色的应用程序.然后选择
Manifest. -
通过找到
appRoles设置并添加所有内容来编辑应用清单您的应用程序角色
例如
"appId":"8763f1c4-f988-489c-a51e-158e9ef97d6a","appRoles":[{"allowedMemberTypes":[用户"],"displayName":您的数据库名称","id":< GUID>","isEnabled":是,"description":访问数据库<您的数据库名称>","value":您的数据库名称"}],"availableToOtherTenants":否, -
代码
a.创建Stratup.cs
public void ConfigureAuth(IAppBuilder应用){JwtSecurityTokenHandler.DefaultMapInboundClaims = false;app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);app.UseCookieAuthentication(new CookieAuthenticationOptions());app.UseOpenIdConnectAuthentication(新的OpenIdConnectAuthenticationOptions{权限=权限,ClientId = appId,ClientSecret = appSecret,RedirectUri = redirectUri,PostLogoutRedirectUri = redirectUri,范围="openid配置文件offline_access https://database.windows.net//.default",ResponseType = OpenIdConnectResponseTypes.CodeIdToken,TokenValidationParameters =新的TokenValidationParameters{ValidateIssuer = false,RoleClaimType =角色"},通知=新的OpenIdConnectAuthenticationNotifications(){AuthenticationFailed = OnAuthenticationFailed,AuthorizationCodeReceived = OnAuthorizationCodeReceived}});}私有异步任务OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification通知){var idClient = var idClient = ConfidentialClientApplicationBuilder.Create(appId).WithAuthority(权限).WithRedirectUri(redirectUri).WithClientSecret(appSecret).建造();string [] scopes ="openid profile offline_access https://database.windows.net//.default" .Split('');AuthenticationResult结果=等待idClient.AcquireTokenByAuthorizationCode(scopes,notification.Code).ExecuteAsync();}私有任务OnAuthenticationFailed(AuthenticationFailedNotification< Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage,OpenIdConnectAuthenticationOptions>通知){notification.HandleResponse();notification.Response.Redirect("/Error?message =" + notification.Exception.Message);返回Task.FromResult(0);}b.获取角色值
ClaimsPrincipal.Current.FindFirst("roles").Value;
关于如何执行此操作,可以参考 sample 以获得更多详细信息.
I am new to Azure Active Directory authentication and I am trying to figuring out how we can implement our requirements for Azure Active Directory Authentication.
We have multiple instances of the same web application. i.e. There is one virtual directory and one database for each client. Users from one instance should not be allowed to access other instances of the application. Can we achieve this using a Single Active Directory with all users in it and a single Azure AD application or do we need to create Active Directory and a separate Azure AD application for each client? The restriction will be implemented through application code, but is there any way to group users so we can get some value in authentication response to identify which instance the user can access?
1. We have multiple instances of the same web application. i.e. There is one virtual directory and one database for each client. Users from one instance should not be allowed to access other instances of the application. Can we achieve this using a Single Active Directory with all users in it?
Yes, you can do that. You can create Azure AD group for each database in Azure SQL Server and assign SQL role to the group. Then if you want to enable one user to access one database, you just need to add the user to the group. For more details, please refer to the document The steps are as below
- Create an Azure AD administrator for Azure SQL server
Connect-AzAccount
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "Group-23" -ServerName "demo_server" -DisplayName "user name" -ObjectId "user object id"
Create Azure AD group for each database
a. Use above Azure AD use login SQL server vai SSMS b. Create
CREATE USER [GroupNmae] FROM EXTERNAL PROVIDER ALTER ROLE db_owner ADD MEMBER [GroupNmae]- Add users to AD group
Connect-AzureAD
Add-AzureADGroupMember -ObjectId <group id> -RefObjectId <user id>
2. The restriction will be implemented through application code, but is there any way to group users so we can get some value in authentication response to identify which instance the user can access?
According to my test, we can use the AzureAD token role claim to implement. We can create app role for every database in Azure SQL server by assigning app role for the AD group. For more details about app role, please refer to the document
The detailed steps are as below.
Configure app permisions
Add app role
Select the application you want to define app roles in. Then select
Manifest.Edit the app manifest by locating the
appRolessetting and adding all your Application Roles
For example
"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "your databse name",
"id": "<GUID>",
"isEnabled": true,
"description": "access database <your databse name>",
"value": "your databse name"
}
],
"availableToOtherTenants": false,
Code
a. Create Stratup.cs
public void ConfigureAuth(IAppBuilder app) { JwtSecurityTokenHandler.DefaultMapInboundClaims = false; app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { Authority = authority, ClientId = appId, ClientSecret = appSecret, RedirectUri = redirectUri, PostLogoutRedirectUri = redirectUri, Scope = "openid profile offline_access https://database.windows.net//.default", ResponseType=OpenIdConnectResponseTypes.CodeIdToken, TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, RoleClaimType = "roles" }, Notifications = new OpenIdConnectAuthenticationNotifications() { AuthenticationFailed = OnAuthenticationFailed, AuthorizationCodeReceived= OnAuthorizationCodeReceived } } ); } private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification) { var idClient = var idClient = ConfidentialClientApplicationBuilder.Create(appId) .WithAuthority(authority) .WithRedirectUri(redirectUri) .WithClientSecret(appSecret) .Build(); string[] scopes = "openid profile offline_access https://database.windows.net//.default".Split(' '); AuthenticationResult result = await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync(); } private Task OnAuthenticationFailed(AuthenticationFailedNotification<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification) { notification.HandleResponse(); notification.Response.Redirect("/Error?message=" + notification.Exception.Message); return Task.FromResult(0); }b. Get role value
ClaimsPrincipal.Current.FindFirst("roles").Value;
Regarding how to implement this, you can refer to the sample to get more details.
这篇关于如何使用Azure AD对同一应用程序的多个实例进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
