Windows Azure的ACS与Active Directory身份提供商SSO [英] Windows Azure ACS with Active Directory as identity provider for SSO

问题描述

我们有几个基于.NET的Web应用程序。对于应用程序的用户群包括谁注册，以检查他们的账单移动用户。该计划是在我的应用程序提供单点登录。我们正在使用的Windows Azure ACS与Active Directory作为身份提供商为我的应用程序的用户为宗旨探索。我们走在正确的轨道使用的Windows Azure ACS与Active Directory作为身份提供者？

We have a few .NET based web applications. The user base for the applications include mobile subscribers who enroll to check their bills. The plan is to provide Single Sign-On across my applications. We are exploring using Windows Azure ACS with Active Directory as identity provider for my application users for the purpose. Are we going in the right track with using Windows Azure ACS with Active Directory as identity provider?

推荐答案

的Windows Azure Active Directory是用于单点登录一个很好的选择，但它不会的有无以的与ACS使用，因为可以看到这里

Windows Azure Active Directory is a good option for single sign-on, but it does not have to be used with ACS, as can be seen here

的http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx#BKMK_Connecting

ACS的优点是

1. 它可以被用来执行声明转换，而无需编写任何code（例如在定制ClaimsAuthenticationManager）。您将不能够处理复杂的转换，但简单的是罚款。


2. 它可以提供与多个身份提供者联盟，所以如果你的用户宁愿使用Facebook，而不是您WAAD，它更为灵活。

然而，在一面

1. 这是更复杂的配置，是解决方案中的另一个运动部件会出问题


2. ACS命名空间被束缚在单一Azure的区域，以便在数据中心发生故障将很难从
恢复

我在previous应用我的工作，因为（由于某种原因）使用ACS与WAAD的的 ASP.Net MVC防伪保护依赖型的索赔

I had to use ACS with WAAD in a previous application I worked on because (for some reason) the ASP.Net MVC anti-forgery protection relies on a claim of type

http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider

这是的不WAAD发出的。我以前在ACS一个简单的声明变换规则变换型WAAD发出索赔

which is not issued by WAAD. I used a simple claim transformation rule in ACS to transform the WAAD issued claim of type

http://schemas.microsoft.com/identity/claims/identityprovider

入式的等效索赔

http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider

这是我能想到的在时间来解决我的问题，所以它使人们的价值在我的情况下使用ACS的唯一途径。我从来没有发现自己是否能做到这一点纯粹与WAAD（也许使用图形API），因为在当时的项目时间pressures的。

This was the only way I could think of to fix my issue at the time so it made it worth using ACS in my case. I never found out whether you could do this purely with WAAD (maybe using the graph API) because of time pressures on the project at the time.

在回答您的评论多余的问题，有没有办法来取代页面上登录的，如果你使用的是WS-联合会或2的OAuth这些方法的一个关键的一点是，用户只需输入其凭据到由身份提供商提供的（信任）的用户界面。我认为你可以，虽然你自己的替换图像。也许你可以收集用户凭据与自己的用户界面和使用WS-信任的端点得到一个道理，但是这不会给你在这个意义上的登录会话不会是真正的Web SSO您不同的Web应用程序之间自动流入

In answer to the extra question in your comment, there is no way to replace the sign-on page if you are using WS-Federation or OAuth 2. A crucial point of those approaches is that the user only enters their credentials into the (trusted) UI provided by the identity provider. I think you can replace the image with one of your own though. Maybe you could gather the users credentials with your own UI and get a token using the WS-Trust endpoint, but this would not give you genuine web SSO in the sense that the sign-in session would not be automatically flowed between your different web applications.

这篇关于Windows Azure的ACS与Active Directory身份提供商SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！