反对使用WSFederationAuthenticationModule为asp.net多重身份认证供应商 [英] Authentication against multiple identity providers using WSFederationAuthenticationModule for asp.net

问题描述

我们拥有多租户asp.net MVC的网站，它支持多个合作伙伴。目前，我们正在使用窗体身份验证来验证用户身份。现在，一些合作伙伴已要求与SAML支持单点登录。

We have multitenant asp.net MVC web site which supports multiple partners. Currently we are using forms authentication to authenticate users. Now some of the partners have asked for single sign on support with SAML.

我做了快速POC测试它反对Thinktecture身份提供者。我所做的只是安装身份和访问扩展VS 2012和配置的身份提供者。我注意到，扩展添加配置设置，如IP的URL和领域在web.config文件中。它还补充说：WSFederationAuthenticationModule模块来处理身份验证。该模块处理所有的重定向和幕后响应的验证。

I did quick POC to test it against "Thinktecture" identity provider. All I did was to install "Identity and access" extension for VS 2012 and configure the identity provider. I noticed that the extension added configuration settings like URL of the IP and realm in the web.config file. It also added "WSFederationAuthenticationModule" module to handle the authentication. This module was handling all the redirects and the validation of response behind the scene.

在我的情况，因为我们将有多个身份提供者，根据合作伙伴，我会选择身份提供者。不同的IP地址的网址将被存储在数据库中。我不能列出在web.config中的所有IP地址。因此，我需要在机制，我可以重定向用户到相应的IP地址，一旦IP回发的结果，验证结果，并通过检索要求的用户信息。我不想做的结果的XML解析和验证的响应，但只是想调用WSFederationAuthenticationModule的方法来完成繁重的值班工作。但我不知道哪些方法将是我非常有用。有人可以帮我或我需要执行实现这一方法的顺序列表？

In my case since we will have multiple identity providers, depending upon the partner, I will be choosing the Identity provider. The URLs of the different IPs will be stored in the database. I cannot list all the IPs in web.config. Hence I need mechanism in which I can redirect user to appropriate IP URL and once the IP posts back the result, verify the result and retrieve user information through claims. I don’t want to do the XML parsing of the result and validate the response, but just want to call methods in "WSFederationAuthenticationModule" to do the heavy duty work. But I am not sure which methods will be useful for me. Can somebody help me out or list of the sequence of methods I need to execute to achieve this?

推荐答案

看看我的简单的例子

的http://www.wiktorzychla.com/2014/11/simplest-saml11-federated-authentication.html

关键是不要有在pipleline的WSFam模块，而是使用其API来触发重定向和消费响应。如果你按照我的code，你会看到有两个子句

The trick is not to have the WSFam module in the pipleline but rather use its api to trigger redirects and consume responses. If you follow my code, you'll see there are two clauses

 // wsfed response or not
 if ( !fam.IsSignInResponse(...) )
    // redirect to provider
 else
    // create local config and validate the incoming token

这简单的例子是完全适合多租户的情况，实际上我们使用WS-送入多租户环境日臻和大多数客户都是基于这一核心的方法。

This simple example is perfectly suitable for multitenant scenario, in fact we use ws-fed daily in multitenant environment and most clients are based on this core approach.

也就是说，创建 SecurityTokenHandlerConfiguration 编程中消耗的反应使您如何验证令牌不同租户的总量控制。分支

Namely, creating the SecurityTokenHandlerConfiguration programatically in the branch that consumes the response gives you total control over how you validate tokens for different tenants.

这篇关于反对使用WSFederationAuthenticationModule为asp.net多重身份认证供应商的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！