身份验证过程获取用户所属的Azure AD组并执行逻辑 [英] Authentication Process Get Azure AD group the user is a member of and do logic
问题描述
是否有一种方法可以获取用户所属的组,以便我们可以处理身份验证,甚至引发异常,因此将不会创建令牌.
Is there a way to get the Group the User is member of so we can process the authentication, or even throw exception so the token will not be created.
我们需要组的原因是,我们不能在Azure AD中创建OU,而以前可以在LDAP中创建OU.我们检索了专有名称,因此获得了有关该用户的非常丰富的信息.
The reason we need groups is that we can not create OU in Azure AD whereas we could before in LDAP. We retrieved the distinguished name and therefore had very rich information about said user.
最后,我们确实看到您可以在本地创建OU,但请注意Graph API无法识别或无法检索它.
Lastly, we do see that you could create an OU on-premises but read that Graph API would not recognize it or could not retrieve it.
我们正在尝试在身份验证过程的SecurityTokenValidated
阶段中进行逻辑处理,并且每当尝试使用时都会中断该过程:
We are attempting to do logic within the SecurityTokenValidated
stage of Authentication process and we break the process whenever we try to use:
string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value
这是因为我们正在使用MSAL吗?
Is this because we are using MSAL?
推荐答案
您在此处采用的最佳方法是利用Azure AD的组声明功能. (对于获取OU.OU根本不在Azure AD中表示.)
The best approach for you to take here is to make use of the group claims capability of Azure AD. (And for get OUs. OUs are not represented in Azure AD at all.)
Dushyant Gill的博客文章相对较旧,但仍然非常相关:
Dushyant Gill's blog post on this is relatively old, but still very much relevant: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/. In short, the process is:
- Enable group claims for your application by setting the
groupMembershipClaims
property in your application. After setting this, when a user signs in to your application, the list of groups they are a member of will be included in the token (if the number of groups is smaller than the limit). - Update your application's authorization code to make use of the group membership claims (if present).
- Update your application to query the Azure AD Graph API if the groups membership claim is not present (i.e. if the "overage" claim is present). This happens only when the user is a member of more than 150-250 groups. (Use the
_claim_name
and_claim_sources
claims as indications that the Graph API needs to be called directly.)
如 Azure AD Graph API权限的文档,以便您的应用程序调用同意,但是一旦获得同意,就可以使用登录用户的访问令牌提出请求.
As described in the documentation for Azure AD Graph API permissions, in order for your application to call the getMemberGroups
method, the app must have the "Read all groups" permission (Groups.Read.All). This permission requires admin consent, but once consent has been granted, the request can be made using the signed-in user's access token.
这篇关于身份验证过程获取用户所属的Azure AD组并执行逻辑的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!