ASP.NET MVC 2使用WIF身份验证（Windows身份验证基础） [英] ASP.NET MVC 2 and authentication using WIF (Windows Identity Foundation)

问题描述

是否有任何像样的例子以下条件：

Are there any decent examples of the following available:

综观 <一个href=\"http://www.microsoft.com/downloads/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504&displaylang=en\">the WIF SDK ，有重定向到一个ASP.NET网站使用 WSFederationAuthenticationModule（FAM）与ASP.NET结合使用WIF的例子的皮肤薄的上一个安全令牌服务（STS）的顶部是用户用来验证（通过提供用户名和密码）。

Looking through the WIF SDK, there are examples of using WIF in conjunction with ASP.NET using the WSFederationAuthenticationModule (FAM) to redirect to an ASP.NET site thin skin on top of a Security Token Service (STS) that user uses to authenticate (via supplying a username and password).

如果我理解正确的基于声明的WIF和访问，我想我的应用程序提供自己的登录界面，用户提供用户名和密码，让这个委托进行身份验证STS，发送登录信息到端点通过安全标准（WS- *），并期待一个SAML令牌返回。理想情况下， SessionAuthenticationModule 将工作按照使用 FAM 连同 SessionAuthenticationModule 即负责重建 IClaimsPrincipal 从会话安全分块cookie，并重定向到我的应用程序的登录页面时，安全会话过期。

If I understand WIF and claims-based access correctly, I would like my application to provide its own login screen where users provide their username and password and let this delegate to an STS for authentication, sending the login details to an endpoint via a security standard (WS-*), and expecting a SAML token to be returned. Ideally, the SessionAuthenticationModule would work as per the examples using FAM in conjunction with SessionAuthenticationModule i.e. be responsible for reconstructing the IClaimsPrincipal from the session security chunked cookie and redirecting to my application login page when the security session expires.

就是我描述了可以使用 FAM 和 SessionAuthenticationModule 适当的web.config设置，还是我需要想想写的HttpModule 我来处理呢？另外，被重定向到一个薄薄的网站STS，用户处于被动请求者情景登录的事实的方法呢？

Is what I describe possible using FAM and SessionAuthenticationModule with appropriate web.config settings, or do I need to think about writing a HttpModule myself to handle this? Alternatively, is redirecting to a thin web site STS where users log in the de facto approach in a passive requestor scenario?

推荐答案

WIF + MVC的一个例子是可用的身份索赔指南的这一章：

An example of WIF + MVC is available in this chapter of the "Claims Identity Guide":

http://msdn.microsoft.com/en-us/library/ ff359105.aspx

我不建议读第几章来了解所有的基本原则。本博客文章介绍MVC + WIF的细节：

I do suggest reading the first couple chapters to understand all underlying principles. This blog post covers the specifics of MVC + WIF:

的http://blogs.msdn.com/b/eugeniop/archive/2010/04/03/wif-and-mvc-how-it-works.aspx

控制登录体验是完全没有问题。你应该部署自己的STS（在您的域名，你的外观和放大器;的感觉，等等）。您的应用程序将简单地依靠它AuthN（这就是为什么一个应用程序通常被称为依赖方）。

Controlling the login experience is perfectly fine. You should just deploy your own STS (in your domain, with your look & feel, etc). Your apps would simply rely on it for AuthN (that's why a app is usually called a "relying party").

架构的优点是，authN委派给1分量（STS）和不发$ P $垫出遍及许多应用程序。但是其他的（巨大）的优势是，你可以很容易实现更复杂的场景。例如，您现在可以与其他组织的身份提供商联合。

The advantage of the architecture is that authN is delegated to 1 component (the STS) and not spread out throughout many apps. But the other (huge) advantage is that you can enable more sophisticated scenarios very easily. For example you can now federate with other organization's identity providers.

希望它可以帮助
欧亨尼奥

Hope it helps Eugenio

@RisingStar：

@RisingStar:

（含债权）的标记可以选择性加密的（否则会明文）。这就是为什么总是推荐的浏览器和STS之间的交互使用SSL。

The token (containing the claims) can be optionally encrypted (otherwise they will be in clear text). That's why SSL is always recommended for interactions between the browser and the STS.

请注意，即使他们是明文，篡改是不可能的，因为令牌进行数字签名。

Notice that even though they are in clear text, tampering is not possible because the token is digitally signed.

这篇关于ASP.NET MVC 2使用WIF身份验证（Windows身份验证基础）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！