ADFS 2.0和JSONP [英] ADFS 2.0 and jsonp

问题描述

我有一个主网站的使用被动联合会（ADFS 2.0） 这个网站有JavaScript的使用JSONP调用出一个MVC的Web API网站。

I have a main web-site that uses passive federation (ADFS 2.0) This website has javascript that calls out to an MVC Web API site using jsonp.

我试图让这个的WebAPI参与单点登录（同一台机器，不同的端口）。然而，被动重定向打破JSONP。 （该STS返回自己​​的脚本，浏览器呈现和我从来没有重定向到真实的URL我的反应脚本）

I am trying to get this WebAPI to participate in Single Sign On (same machine, different port). However the passive redirects break the jsonp. (The STS returns its own script which the browser renders and i never get to redirect to the real url for my response script)

是被动的联盟与JSONP的WebAPI兼容？ 如果不是，我怎么没有使用用户名/密码凭据主动联合会？ 即用户将通过主站调用的WebAPI前验证，让我怎么利用他们已经记录在事实上，在的WebAPI？

Is passive federation compatible with a jsonp webapi? If not, how do I use Active Federation without username/password credentials? i.e. The user will be authenticated via the main website before calling the webapi, so how do I leverage the fact they are already logged in, in the webapi?

推荐答案

为您所遇到的被动联合协议将不会在这种情况下工作。

The passive federation protocol won't work in this scenario as you are experiencing.

您有两种选择：

• 如果您的Web API被专门用于你的网站，你可以分享由WIF时产生的用户进行身份验证cookie的。要做到这一点，如果你使用的是不同的网站，你应该配置＆LT;的CookieHandler＆GT; 在WIF配置部分使用相同的域和路径，并使用FQDN（而不是机器名称），以便在浏览器识别两个网站和API作为相同域

• If your web api is being exclusively used by your website you can share the cookie that is generated by WIF when the user authenticates. To do that, if you are using different websites you should configure the <cookieHandler> section on WIF configuration to use the same domain and path and use a FQDN (instead of machine names), so that the browser identify both the website and the API as the same domain.

第二个选项是配置Web API提取和验证SAML令牌（身份验证过程中生成）。什么，你就必须在这里做的是保存用于认证令牌（打开saveBootstrapToken上的＆LT;服务＆GT; 的WIF的配置元素），把它通过使用 claimsIdentity.GetBootrapToken（）扩展方法，而将令牌上的JavaScript调用像授权HTTP标头：承载...的令牌.... 。在服务器端，你必须拿到并验证令牌（编程）。请注意，您会打，因为头部长度的IIS中的配额如果令牌是太大了。

The second option is to configure the Web API to extract and validate SAML tokens (being generated during authentication). What you would have to do here is to save the token that was used for authentication (turn on the saveBootstrapToken on the <service> element of the WIF configuration), get it by using the claimsIdentity.GetBootrapToken() extension method and attach the token on the JavaScript call as an HTTP header like "Authorization: bearer ...the-token....". On the server side you have to get that and validate the token (programatically). Note that you might hit a quota in IIS because of the header length if the token is too big.

这篇关于ADFS 2.0和JSONP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！