Azure AD MutiTenant 身份验证如何工作? [英] How does Azure AD MutiTenant authentication works?

问题描述

我想启用多租户身份验证.我的代码在 ASP.Net Webforms 中，这是 StartUp.cs 文件代码.

I want to enable Multitenant Authentication. My Code is in ASP.Net Webforms and Here is the StartUp.cs file code.

  public partial class Startup
{

    const string MSATenantId = "XXXXXXXXXXXXXXX";
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientID"];
    private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
    private static string authority = aadInstance + "common";

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions { });

        // instead of using the default validation (validating against a single issuer value, as we do in line of business apps), 
        // we inject our own multitenant validation logic
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                {
                    ValidateIssuer = true,
                     ValidIssuers = new List<string>()
                     {
                         "https://sts/windows.net/XXXXXXXXXXXX"
                     }
                    // If the app needs access to the entire organization, then add the logic
                    // of validating the Issuer here.
                    // IssuerValidator
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {   
                    SecurityTokenValidated = (context) =>
                    {

                        //if (context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value != MSATenantId)
                        //{
                        //     context.HandleResponse();
                        //    context.Response.Redirect("InvalidUser.aspx");
                        //}
                        // If your authentication logic is based on users
                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = (context) =>
                    {
                        // Pass in the context back to the app
                        context.HandleResponse();
                        // Suppress the exception
                        return Task.FromResult(0);
                    }
                },  
            });

        // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
        app.UseStageMarker(PipelineStage.Authenticate);
    }
    //private Task OnSecurityTokenValidatedAsync(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
    //{
    //    // Make sure that the user didn't sign in with a personal Microsoft account
    //    if (notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value == MSATenantId)
    //    {
    //        notification.HandleResponse();
    //        notification.Response.Redirect("/Account/UserMismatch");
    //    }

    //    return Task.FromResult(0);
    //}
   }

我希望只有拥有 MSATenantId 的用户才能访问我已经阅读过的应用程序，我尝试了以下两种方法，但两种方法都不起作用:

I want only the user with the MSATenantId should able to access the application for that I have read there are multiple ways I have tried below two though both are not working:

1. 在这种情况下，应用程序不会重定向到主页

1. In this the application doesn't redirect to the Home page

     TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
             {
                ValidateIssuer = true,
                 ValidIssuers = new List<string>()
                 {
                     "https://sts/windows.net/XXXXXXXXXX"
                 }
                // If the app needs access to the entire organization, then add the logic
                // of validating the Issuer here.
                // IssuerValidator
            },

    In this it doesn't redirect to invalid page.
          SecurityTokenValidated = (context) =>
                 {

                     if (context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value != MSATenantId)
                     {
                         context.HandleResponse();
                         context.Response.Redirect("InvalidUser.aspx");
                     }
                     If your authentication logic is based on users
                     return Task.FromResult(0);
                 },

我是否遗漏了任何东西，或者我是否需要在上述场景中添加一些东西.我只想先测试一个租户，然后再添加更多租户.

Am I missing anything or do I need to add something in the above scenarios. I want to just test with one Tenant first and then I'll add more tenant.

另外，1 和 2 有什么不同?

Also, how does the 1 and 2 are different ?

如果我不使用上述任何选项，这将起作用.我可以使用 Azure 帐户登录.

This works if I don't use any of the above option. I am able to login with Azure account.

推荐答案

您的问题已解决，请将其添加到问题末尾.

Your question has been resolved, add it as the answer to the end of the question.

您的 issuer 设置不正确，您应该将其更改为:https://sts.windows.net/XXXXXXXXXXXX/.

Your issuer is set incorrectly, you should change it to: https://sts.windows.net/XXXXXXXXXXXX/.

这篇关于Azure AD MutiTenant 身份验证如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！