如何设置有效的本地 ADFS URI? [英] How do I setup a valid on-premise ADFS URI?
问题描述
我有一个 .NET 4.6.2 Windows 客户端应用程序,它需要从我们的内部部署 ADFS 服务器获取身份验证令牌并使用它来调用 ASP.NET Core REST API.它的客户端名称、ID (GUID) 和重定向 URI 已在 ADFS 中注册.我正在使用最新的 ADAL (v3.13) 库来促进身份验证.我正在尝试获取像这样的 ADAL 示例代码中所示的令牌:
I have a .NET 4.6.2 Windows client application which needs to get an authentication token from our on-premise ADFS server and use it to call an ASP.NET Core REST API. It's client name, id (GUID) and re-direct URI have been registered with ADFS. I am using the latest ADAL (v3.13) library to facilitate the authentication. I am attempting to get a token as demonstrated in the ADAL sample code like this:
AuthenticationContext authenticationContext = new AuthenticationContext("https://<adfs-sts-server>/<rest-api-host>", false);
var result = authenticationContext.AcquireTokenAsync(<rest-api-resource-uri>, clientId, redirectUri, new PlatformParameters(PromptBehavior.Auto));
AcquireTokenAsync 调用返回错误,表示:基于浏览器的身份验证对话框未能完成.原因:服务器没有找到任何与请求的 URI(统一资源标识符)匹配的内容.
The AcquireTokenAsync call returns an error, saying: The browser based authentication dialog failed to complete. Reason: The server has not found anything matching the requested URI (Uniform Resource Identifier).
谁能告诉我:
- 错误中引用的请求的 URI"是
https://<adfs-sts-server>/<rest-api-host>或 - 我是否需要以某种方式向 ADFS 注册
- 我需要任何其他信息才能使其正常工作吗?
- Is the "requested URI" refered to in the error the
https://<adfs-sts-server>/<rest-api-host>or<rest-api-resource-uri>? - Do I need to register
<rest-api-host>or<rest-api-resource-uri>with ADFS in some way, and if so how? - Any other information I need to get this to work?
谢谢!彼得
推荐答案
使用 Active Directory 联合身份验证服务 (ADFS) 为来自 Windows 客户端的本地端点提供身份验证
配置 ADFS
配置 ADFS 有 2 个部分.
Using Active Directory Federation Services (ADFS) to provide authentication for on-premise endpoints from a Windows Client
Configuring ADFS
There are 2 parts to configuring ADFS.
ADFS 需要能够识别请求用户身份验证的应用程序,无论是服务、WPF 应用程序、Web 客户端还是 Office 加载项.我已经通用并添加了以下客户端,我们可以将其用于大多数 C# 请求;我们可能需要为 Web 客户端注册一个具有不同回调的新客户端.
ADFS needs to be able to identify the application requesting user authentication, whether it be a service, WPF application, Web client or Office Add-in. I have gone generic and added the following client, which we can use for most of our C# requests; we may need to register a new client with different callback for Web clients.
使用众多工具中的一种为客户端 ID 生成 GUID.
* CLIENT_ID 和 APP_NAME 应该是唯一的.* 对于 Web 客户端,重定向 URI 是身份验证服务在对用户进行身份验证后重定向您的呼叫的位置.它应该是一个端点,您可以在其中处理令牌并继续您的客户端应用程序.重定向 URI 并未真正用于富客户端/服务/加载项.
Use one of the many tools out there to generate a GUID for the client ID.
* CLIENT_ID and APP_NAME should be unique.
* For a web client the redirect URI is where the auth service will redirect your call after authenticating the user. It should be an endpoint where you can process the token and continue with your client application. The redirect URI is not really used with rich clients/services/add-ins.
CLIENT_ID = 26E54EC9-7988-4DAE-A527-483A8A78B1C6
APP_NAME = Investplus
DESCRIPTION = Invest+ rich client suite
REDIRECT_URI = https://server/redirect-adfs.html
客户注册说明
(可能在向导中可行,但这是我在网上找到的并且对我们有用)
- 以管理员身份登录 AD FS 服务器并打开 Windows PowerShell 命令窗口.
输入以下命令.在 Windows PowerShell 中
- Log on to the AD FS server as administrator and open a Windows PowerShell command window.
Enter the following command. In Windows PowerShell
Add-AdfsClient -ClientId
注册要访问的资源(ADFS中的依赖方")
我发现这个链接很有用,它会引导您完成设置信赖方的向导步骤.
Register the resource to be accessed ('Relying Party' in ADFS speak)
I found this link useful, it takes you through the steps of the wizard for setting up a relying party.
服务器团队的管理员将需要使用 ADFS 添加依赖方信任向导,并在选择数据源"步骤下选择手动输入有关依赖方的数据em>.
The administrator on the server team will need to use the ADFS Add Relying Party Trust Wizard, and under the "Select Data Source" step select Enter data about the relying party manually.
您需要为此向导提供的值:
Values you need to supply for this wizard:
DISPLAY_NAME = "MyInvestApi" (Unique display name for this Relying party)
PROFILE = "AD FS Profile"
ENABLE_SUPPORT_FOR_WS-FEDERATION_PASSIVE_PROTOCOL = true
URL = "https://server/api" (Unique URL for this RP)
ADD_ONE_OR_MORE_IDENTIFIERS = eg. "urn:myInvestApi" and "https://server/api"
ACCEPT_REMAINING_DEFAULTS
有机会时,添加声明规则:
SEND_LDAP_ATTRIBUTES_AS_CLAIMS = true
ATTRIBUTE_STORE = Active Directory
SELECT_USEFUL_ATTRIBUTES = User-Principal-Name; Email; Display-Name
配置/编码客户端应用程序
Microsoft 提供 Active Directory 身份验证库 (ADAL) 适用于从 C# 到 Javascript,从 iOS 到 Cordova 到 Node 的各种平台和语言.
Configuring/Coding the Client application
Microsoft provides Active Directory Authentication Libraries (ADAL) for a range of platforms and languages from C# to Javascript, and from iOS to Cordova to Node.
公开的 API 在每个主要版本中都发生了显着变化:我使用的是最新的 C# 库,目前是 3.13.5.
The API exposed has changed significantly in each major version: I am using the latest C# library, currently 3.13.5.
该库使编码非常简单,只需几行;我遇到的问题是:
The library makes the coding very simple, just a few lines; where I had problems was:
- 我找不到有关用于 ADFS 的 URL 的说明安全令牌服务 (STS)
- 我在这里找不到整个过程的文档(大多数文档都集中在 Azure FS 上),我努力解决Client 和 Relying party 提供给 ADFS 的值如何映射到代码中使用的值.
- I couldn't find an explanation of what URL to use for the ADFS Secure Token Service (STS)
- I couldn't find documentation of the whole process as I am doing here (most documentation focussed on Azure FS), I struggled to work out how the values provided to ADFS for Client and Relying party mapped to the values used in the code.
在代码中使用的 ADFS 端点/URL 是什么?
Microsoft 的最佳做法是将您的 ADFS/STS 服务器 URL 命名为 https://sts.domain.com(有些人使用 https://adfs.domain.com>,询问您的服务器管理员).但是,如果您尝试从浏览器点击此操作,则会收到 404 - Not found 并尝试检索代码中的令牌,ADAL 库报告:
What is the ADFS endpoint/URL to use in code?
Microsoft's best practice is to name your ADFS/STS server URL https://sts.domain.com (some people use https://adfs.domain.com, ask your server admins). However, if you try to hit this from a browser you'll get a 404 - Not found and trying to retrieve a token in the code, the ADAL library reports:
The browser based authentication dialog failed to complete. Reason: The server has not found anything matching the requested URI (Uniform Resource Identifier).
这是我找到要使用的端点的方式:
This is how I found the endpoint to use:
- ADFS 在 'https://sts.domain.com/上发布联合元数据federationmetadata/2007-06/federationmetadata.xml'
- 解压此文件并在文本编辑器中打开.
要在代码中使用哪些其他值?
我们希望我们的客户端应用程序从 ADFS 检索 JSON Web 令牌 (JWT),我们可以将其传递给受保护的资源以进行身份验证/授权.
What other values to use in the code?
We want our client app to retrieve a JSON Web Token (JWT) from ADFS which we can pass to our protected resource for authentication/authorization purposes.
最简单的情况是,可以通过 3 行代码 + 配置来检索访问令牌,这将展示如何将我们在 ADFS 中配置的内容转换为 ADAL 所需的值:
At its most simple, the access token can be retrieved in 3 lines of code + configuration, and this will show how to translate what we have configured in ADFS to the values required by ADAL:
var stsEndpoint = "https://sts.domain.com/adfs/ls/";
var relyingPartyIdentifier = "urn:myInvestApi"; // Tenant in Azure AD speak, but this is an on-premise service
var authority = stsEndpoint + relyingPartyIdentifier;
var restResourceUrl = "https://server/api";
var redirectUri = "https://server/redirect-adfs.html";
const string CLIENT_ID = "26E54EC9-7988-4DAE-A527-483A8A78B1C6";
AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
var asyncRequest = authenticationContext.AcquireTokenAsync(restResourceUrl, CLIENT_ID, redirectUri, new PlatformParameters(PromptBehavior.Auto));
var accessToken = asyncRequest.Result.AccessToken;
有用的参考
- ASP.NET Core 令牌认证指南
- ADAL - 本地应用程序到 REST 服务 - 通过 ACS 进行身份验证浏览器对话框
- 创建一行- 带有 AD FS 身份验证的企业 Azure 应用
- OAuth 2 简化版
这篇关于如何设置有效的本地 ADFS URI?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
