使用Azure Active Directory的多租户，多平台，多服务单点登录 [英] multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory

问题描述

我有以下服务

• Service1.SomeDomain.com
• Service2.SomeDomain.com
• Service3.SomeDomain.com

我有一个Web应用程序，其中包含一个客户端脚本，该脚本将直接与上述每个服务进行对话以获取信息

I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information

Web.SomeDomain.com

Web.SomeDomain.com

我也有Native Mobile客户端应用程序，它们也将直接与上述每个服务进行对话

I also have Native Mobile client applications which also will talk directly to each of the above services

• Android
• IOS
• Windows/Windows Phone

现在，此应用程序将成为SaaS解决方案，客户可以在线注册创建自己的租户，然后为那里的员工创建用户帐户，并将员工添加到组中并更改这些组的权限.

Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.

现在，我需要一个解决方案，使用户可以登录到移动应用程序或Web，并可以根据那里的组权限允许其访问上述服务，但是我希望每个租户之间有很强的分隔力

Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant

推荐答案

看一下您似乎正在考虑使用Azure AD的标记.好的选择. Azure AD允许开发人员保护其SAAS API和Web/移动应用程序的安全. Azure AD满足了您描述的所有要求-它甚至具有适用于流行平台的客户端SDK. 以下内容将指导您完成操作:

Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms. The following should see you through:

1. AAD支持的身份验证方案( http://msdn.microsoft. com/zh-CN/library/azure/dn499820.aspx ):将回答以下问题:-我的移动应用程序如何代表用户访问多租户Web api，或者我的Web应用程序如何签名-并收到委托令牌以访问我的网络api
2. AAD集成多租户SAAS应用程序示例( https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet ):涵盖了多租户应用的特殊技术
3. 使用组成员身份进行授权( https://azure.microsoft.com/zh-cn/documentation/articles/web-sites-authentication-authorization/):介绍了如何根据用户的组成员身份在应用程序中执行授权.

1. Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
2. AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
3. Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.

享受. 希望这会有所帮助.

Enjoy. Hope this helps.

这篇关于使用Azure Active Directory的多租户，多平台，多服务单点登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！