我怎样才能用MVC的Azure Active Directory认证从公元角色？ [英] How can I get roles from AD with MVC Azure AD Authentication?

问题描述

我的设置和MVC 4应用程序，并针对我们的Azure AD服务器概述此处添加验证：的 http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

I setup and MVC 4 application and added authentication against our Azure AD server as outlined here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

认证工作正常。但是，我没有得到任何角色回默认。应该有创造了几个广告组和我想用他们的作用，通过限制MVC中的[授权]属性的应用程序。

Authentication works as expected. However, I'm not getting any roles back by default. There should be several AD groups created and I would like to use them to role restrict the application via the [Authorize] attribute in MVC.

我真的不能找到一个好地方甚至开始搞清楚了这一点。谁能给我一个大纲或指向我一个很好的教程？

I can't really find a good place to even start figuring this out. Can anyone give me an outline or point me to a good tutorial?

我要指出，我不是管理员，我们的Azure账号，所以我需要能够告诉我们的管理做什么，如果任何设置要求在该侧。

I should mention that I'm not the administrator for our Azure account, so I need to be able to tell our admin what to do if any setup is required on that side.

推荐答案

首先，令牌通过Azure的AD返回当前不包含角色或组要求，所以你需要从图形API得到他们。其次，这是由图形API返回的Azure的AD角色不一定适用于在ISV / LOB应用程序使用，而一般你应该使用安全组进行授权来代替。执行授权，你应该使用图形API在checkMemberGroups或getMemberGroups操作，这是传递和有效的用于这一目的。

First, tokens returned by Azure AD do not currently contain claims for roles or groups, so you need to get them from the Graph API. Second, roles in Azure AD that are returned by the Graph API are not necessarily intended for use in an ISV/LoB app, and in general you should use security groups for authorization instead. To perform authorization, you should use the checkMemberGroups or getMemberGroups operations in the Graph API, which are transitive and valid for this purpose.

如果你看看下面的资源才能，我觉得你的问题将得到解答。您将学习如何验证到图表，调用它，并配置您的应用程序使用组操作的结果执行授权：

If you check out the following resources in order, I think your questions will be answered. You'll learn how to authenticate to the Graph, call it, and configure your application to use the result of the group operations to perform authorization:

• 使用图形API查询Windows Azure的AD - 这是第二个演练现在完成，你已经做了的Web SSO之一。
• 授权使用Windows Azure Active Directory的
• MVC示例应用程序的Azure的AD图表
• <一个href="http://blogs.msdn.com/b/aadgraphteam/archive/2013/05/15/announcing-some-new-capabilities-in-azure-active-directory-graph-service.aspx">Blog岗位描述checkMemberGroups和getMemberGroups
• <一个href="http://www.cloudidentity.com/blog/2013/01/22/group-amp-role-claims-use-the-graph-api-to-get-back-isinrole-and-authorize-in-windows-azure-ad-apps/">How我得到角色和组成员资格要求用户通过Windows Azure的AD登录 - 这一个是过时的问候方法进行身份验证和用户界面来管理用户/组，但它仍然是有用的。要特别注意的部分在自定义ClaimsAuthenticationManager，它给你如何角色/组数据注入到ClaimsPrincipal对象早，所以它可以在[授权]属性或其他授权逻辑中使用的想法。

• Using the Graph API to Query Windows Azure AD -- This is the second walkthrough to complete now that you've done the web SSO one.
• Authorization with Windows Azure Active Directory
• MVC Sample App for Azure AD Graph
• Blog post describing checkMemberGroups and getMemberGroups
• How do I get role and group membership claims for users signing in via Windows Azure AD? -- This one is out of date in regards to the methodology for authentication and the UI for managing users/groups, but it's still useful. Pay special attention to the section on the custom ClaimsAuthenticationManager, which gives you an idea of how to inject role/group data into the ClaimsPrincipal object early so that it can be used in the [Authorize] attribute or other authorization logic.

这篇关于我怎样才能用MVC的Azure Active Directory认证从公元角色？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！