ASP.NET MVC中WIF(Windows Identity Foundation)的用户名和密码身份验证 [英] Username and password authentication for WIF (Windows Identity Foundation) in ASP.NET MVC
问题描述
我们有两个现有的旧版Web应用程序,一个用于在域内使用Windows身份验证的Intranet,一个Internet应用程序执行自定义Web表单基于用户名+密码的身份验证.现在,开发了一个新的Web应用程序,它将在Internet上为处理这两种身份验证模型的Internet和Intranet用户提供.因此,我们决定使用 WIF .我们将在Windows Server 2012上使用ASP.NET 4.5 MVC 4.
We have two existing legacy web applications, one for the intranet using windows authentication within the domain, and one internet application, performing a custom web forms username + password based authentication. Now a new web applications is developed and will be available in the internet to both internet and intranet users, handling both authentication models. Therefore we decided to use WIF. We're going for ASP.NET 4.5 MVC 4 on Windows Server 2012.
Intranet身份验证应该不是问题,因为我们可以在此处使用ADFS 2.0.
The intranet authentication shouldn't be a problem as we can use ADFS 2.0 here.
但是我们目前不知道如何解决用户名和密码验证.看来我们需要开发一个自定义 UserNameSecurityTokenHandler 来对提供以下内容的用户进行身份验证用户名+密码信息已根据我们的自定义会员资格提供商进行了验证.但是我需要整个工作流程的帮助...
But we currently have no clue how to solve the username + password authentication. It looks like we need to develop a custom UserNameSecurityTokenHandler to authenticate users which provide username + password information which is verified against our custom membership provider. But I need some assistance with the whole workflow...
假设我们有一个针对互联网用户的自定义登录页面;并假设我们设法将Internet用户路由到该登录页面(在ASP.NET MVC中),那么从这里到有效令牌的缺失部分是什么?收到提供的用户名和密码的表单或MVC控制器动作将如何继续触发已配置的WIF身份提供者?
Assume that we have a custom login page for internet users; and assume that we managed to route internet users to this login page (in ASP.NET MVC), what's the missing part from here to a valid token? How would the form or the MVC controller action which received the provided username + password proceed to trigger the configured WIF identity provider?
推荐答案
最优雅的解决方案是为外部用户创建另一个STS,并让ADFS将此作为身份提供者信任它:
The most elegant solution would be to create another STS for the external users and have ADFS trust this as an identity provider:
外部用户将被重定向到使用usr/pwd数据库的IdP STS.内部用户将直接通过ADFS(相对于AD)进行身份验证.
External users will be redirected to the IdP STS that would use the usr/pwd database. Internal users will authenticate through ADFS directly (against AD).
在这种情况下,ADFS既充当IdP角色又充当联邦提供者.
In this scenario, ADFS is acting both as an IdP and a Federation Provider.
要使其正常工作,您需要同时将ADFS和IdP(以及应用程序)公开到互联网.您可以使用的利用会员资格的STS是 IdentityServer ,它是开源的,您当然可以为自己定制需求.
For this to work you need both ADFS and the IdP (and the app) exposed to the internet. An STS you can use that leverages membership is IdentityServer, which is open source and you can of course customize for your needs.
有了这种架构,您无需在应用程序中进行任何特殊的自定义/扩展.但是,您将需要处理家庭领域发现".知道在哪里对用户进行身份验证的过程(例如Intranet与Extranet).据推测,您可能具有不同的URL等.
With this architecture you don't need any special customizations/extensions in the app. You will need to handle "home realm discovery" though. Which is the process of knowing where to authenticate users on (e.g. intranet vs. extranet). Presumably, you might have different URLs, etc.
这篇关于ASP.NET MVC中WIF(Windows Identity Foundation)的用户名和密码身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
