使用基于局域角色授权Active Directory验证 [英] Active Directory Authentication with Local-Role-Based Authorization
问题描述
我开发一个ASP.NET MVC应用程序。我需要支持多种认证机制(这个程序是由多个用户,每个都有自己的preferred authn提供商)。一个权威性供应商将是Active Directory。身份验证的AD集成很简单,我有没有问题。
I'm developing an ASP.NET MVC application. I need to support multiple authentication mechanisms (this app is used by multiple customers, each with their own preferred authn provider). One auth provider will be Active Directory. The AD integration for authentication is straightforward and I have no problems with that.
有关授权,角色将被存储在本地数据库(注:我们不能使用Active Directory组这样做的授权 - 角色需要是本地应用程序角色,因为我们支持多个authn提供商和AD管理员不希望创建自定义在AD组只为我们的应用程序)。我的期望是,我们需要以做用户被分配 - 这 - 角色映射建立在我们本地数据库存根用户帐户。这些存根用户帐号也将被用来指示哪些用户被授权访问的应用程序(在AD数据库不是每个人都应该有机会)。
For authorization, roles will be stored in a local database (NOTE: we cannot use Active Directory groups for doing authorization - roles need to be local application roles because we support multiple authn providers and AD admins won't want to create custom groups in AD just for our app). My expectation is that we will need to create "stub" user accounts in our local database in order to do the User-is-assigned-which-Roles mapping. These stub user accounts will also be used to indicate which users are authorized to access the application (not everyone in the AD database should have access).
控制的预期流量将是:
- 用户访问登录页>输入凭证>的帖子凭据的应用服务器。
- 的应用程序验证对AD的凭据。在这点上,我们知道,如果所述用户通过验证。
- 该应用程序会检查用户的SID,以查看是否在本地数据库中存在与该SID一个存根用户帐户。如果不是这样,该应用显示一个未授权的错误信息给使用者。
- 该应用程序将查找的角色,为用户在本地数据库用户的分配 - 这 - 角色表。
用户身份信息,包括角色将被存储为索赔和应用程序将使用典型的基于声明的授权(即ClaimsAuthorizationManager)。
User identity info including roles will be stored as claims and the app will use typical claims based authorization (i.e. ClaimsAuthorizationManager).
我的问题是什么是打造存根用户帐户到我的本地数据库的最佳方式?我的猜的是,我们应该使用某种AD出口脚本来导出AD帐户对那些应该被授予ASP.NET应用程序访问权限的用户,然后导入这些用户到本地数据库(注意:我期望存根帐户将包含极少的信息 - 也许只是用户的SID从公元的也许的用户名)。
My question is what is the best way to create "stub" user accounts into my local database? My guess is that we should use some sort of AD export script to export AD accounts for those users that should be granted access to the ASP.NET app and then import those users into the local database (NOTE: I expect that the stub account will contain minimal info - perhaps just the user's SID from AD and maybe the username).
一个批量出口/进口可能是作为初始部署过程确定。应用程序是向上和运行,新用户加入该组织后,我期待一个更人性化的机制将被期望比导出/从AD导入新用户的帐户授予我们的应用程序(另一种新的用户访问我们的本地数据库)。我的猜的是,我们需要某种用户浏览器屏幕,所以在我们的应用程序管理员可以浏览AD目录,选择一个用户,点击一个按钮,然后让该用户的存根账户在我们的应用程序中自动创建。
A batch export/import is probably OK as an initial deployment process. After the app is up-and-running and new users join the organization, I expect a more user-friendly mechanism will be desired for granting a new user access to our app (other than exporting/importing the new user's account from AD to our local database). My guess is that we'll need some sort of user browser screen so that an admin in our app can browse the AD directory, select a user, click a button and then have that user's "stub" account created automatically in our app.
有没有人实施类似要求的应用程序?如果是这样,你是怎么引导的本地数据库存根账户创造?有没有更好的方式来满足这些要求?
Has anyone implemented an application with similar requirements? If so, how did you bootstrap the creation of "stub" accounts in your local database? Is there a better way to address these requirements?
推荐答案
请随时免费的,如果这能帮助你Custom注释授权
Please feel free if this can Help You Custom Annotation Authorization
这只是一种解决方法,或者只是一个想法,而不是一个解决方案......
It's only a workaround, or just an idea, not a solution...
要使用它,你只需要在控制器中使用注释
例如。
To use it you only need to use Annotation in the controller e.g.
[ARQAuthorize]
public class BlaBlaController : Controller .....
这篇关于使用基于局域角色授权Active Directory验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
