带有日内瓦框架的自定义声明以及如何“同步”用户抱怨您的应用 [英] Custom Claims with Geneva framework and how to "synch" users whitin your app
问题描述
也许这个问题突显了我对理赔身份管理的了解很少,但这是事实。
Maybe this question highlights how little I know about claims identity management, but here it goes.
如果在使用第三方STS进行身份验证并使用自定义声明进行授权的应用程序中使用WIF(与CanCreateFooBar之类的应用程序相关且特定于某些应用程序)
If using WIF within an application that uses a third party STS for Identity and that uses custom claims for authorization ( something pertinent and specificto the application like CanCreateFooBar )
1)如何管理用户?即,可以识别来自诸如AD或其他成员资格提供者的用户,但是在我的系统内部,我需要了解他们,并且需要更多与身份无关的用户信息(因此,使此信息可用确实很有意义
问题是如何以一种智能的方式管理和创建系统数据(由Ids开头)?
我心中确切的情况是,公司中增加了一名新员工,系统管理员为具有特定角色的域创建用户,我的系统如何才能意识到这一点? (我可能希望系统提示系统管理员采取行动
1) How do I manage the users? Ie, the users from say AD or other membership provider can be identified, but internally in my system i need to know about them and have more user information that has nothing to do with Identity ( so it woulndt really make sense to have this info available outside the system), and that information about the user should be persisted,
The question is How can I manage and create my system data (Starting by the Ids) in a smart way?
The exact scenario I have in my mind is A new employee is added to the company, sys admin creates the user for the Domain with a particular role, how can my system becoem aware of this fact? ( i would probably like the system to prompt an administrator of the system for an action
2)这些用户和角色的声明值存储在哪里,我该如何修改他们?理想情况下,我希望能够更改特定用户和操作的权限。有任何指导方针吗?
2) Where are the claim values for those users and roles stored and how can I modify them? Ideally I want to be able to change the perimissions for a particular user and action. Are there any guidelines on this?
我可以看到这些问题可能非常la脚,但是当我考虑如何解决问题时,我会提出复杂的解决方案或带有需要大量重复的解决方案(即在两个地方创建使用过的),所以我确定我只是没有以正确的方式考虑这个问题
I can see that these are probably very lame questions but when I think about how to solve the problem I come up with over complicated solutions or with solutions that require a lot of duplicaiton ( ie create the used in two places ) so I m sure I m just not thinking about this problem in the right way
谢谢
推荐答案
1)您不是在管理用户,不是真的。您只需获取IClaimsIdentity并将其用作授权的来源。我认为,如果您不这样做就可以坚持要求,那么声明应该成为用户信息的来源。
1) You don't manage the users, not really. You simply take the IClaimsIdentity and use that as the source for your authorization. In my opinion you shouldn't be persisting the claims if you can get away without doing it - the claims should be the source of your user information.
如果要基于声明,请从声明标识中获取唯一的引用,说出电子邮件地址或ppid /签名密钥OU哈希,然后使用它来构建自己的声明数据库,并添加您自己的信息。
If you want to build upon the claims then take a unique reference from the claims identity, say email address or ppid/signing key OU hash and use that to build your own database, and add your own information.
但是,您的系统永远不会摆脱第三方身份元数据库的更改-直到发出并解析了新的SAML令牌后,您的应用程序。
However your system will never become away of changes in a 3rd party identity metabase - not until a new SAML token is issued and parsed in your application.
2)声明值不存储在任何地方,除非您存储它们。如何将其转换为权限取决于您-但是通常您会执行声明转换,以获取外部声明并将它们映射到用于权限的应用程序内部的声明。因为索偿来自外部提供商,所以您无法更改它们-您与这些提供商没有任何联系。
2) The claims values are stored nowhere, unless you store them. How you translate that into permissions is up to you - but generally you perform claims transformation to take the external claims and map them to claims internal to your application that you use for permissions. Because claims are coming from external providers you can't change them - you have no connection to those providers.
这篇关于带有日内瓦框架的自定义声明以及如何“同步”用户抱怨您的应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
