在ASP.NET中使用SAML2.0的SSO [英] SSO using SAML2.0 in asp.net
问题描述
我的要求是在asp.net中使用SAML2.0实现SSO.我的末尾确实有2个供应商.希望将用户从一个站点传递到另一个站点,而无需登录第二个站点.我以前从未使用过SAML2.0.谁能帮我完成任务.
My requirement is to implement SSO using SAML2.0 in asp.net. I do have 2 vendors at my end. Wanna pass the user from one site to other site without logging into the second. I have never used SAML2.0 before. Can anyone help me out how can I get it done.
推荐答案
首先让我们用令牌格式区分协议.我假设您是在谈论协议,而不是令牌格式.但是以防万一,这里是不同之处:
First let's differentiate protocol with token format. I assume you are talking about the protocol and not the token format. But just in case here are the differences:
- SAML 2令牌格式.这只是您的应用程序会忽略的令牌的格式.WIF提供了开箱即用的支持.
- SAML 2协议.这是您的应用程序必须了解的HTTP交互才能在应用程序中获取令牌.WIF不支持此功能,但是您可以下载扩展名( http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088 )
另一方面,您有一个场景,其中有多个身份提供者.Wiktor建议的书(我与人合着)在联合与多个合作伙伴的身份一章.我建议您阅读以了解身份联合背后的概念.让我给您这篇文章的简短版本和一些实现细节.有两种解决方法:
On the other hand you have a scenario in which there are multiple identity providers. The book that Wiktor suggested (which I co-authored) explains this scenario in more detail on the Federated Identity with Multiple Partners chapter. I recommend you to read it to get the concepts behind identity federation. Let me give you the short version of the article and some implementation details. There are two ways of solving this:
-
在应用程序级别实现它.WIF将允许您信任多个身份提供者令牌(这是使用X509证书完成的).然后,您将必须根据URL(例如 https://idp1.yourapp.com 或 https://yourapp.com/idp1 )或用户选择(通过使用两个链接,每个身份提供者一个.您还必须规范来自那些身份提供者的声明(也许其中一个将向您发送名称"声明,而另一个向您发送"upn"声明).
Implementing it at the application level. WIF will allow you to trust on more than one identity provider token (this is done with X509 certificates). Then you will have to generate sign in requests for each identity provider depending on a url (like https://idp1.yourapp.com or https://yourapp.com/idp1) or the user choosing (by having a home page with two links, one for each identity provdier). You will also have to normalize the claims coming from those identity provider (maybe one of them will send you a "name" claim and the other a "upn" claim).
YourApp --> Identity Provider 1
\-> Identity Provider 2
使用所谓的联邦提供程序".这是另一台将向您的应用程序发行令牌的服务器,并且它将具有对您的身份提供者的信任关系.您不必让应用程序信任这两个身份提供者,而是仅信任您的联合身份提供者,并且联邦提供者将信任身份提供者.这是一个信任链.
Using what is called a "federation provider". This is another server that will issue tokens to your application and it will have the trust relationships against your identity provider. Instead of having your application trust the two identity providers, you trust only on your federation provider and the fed provider will trust the identity providers. It's a trust chain.
YourApp --> Federation Provider --> Identity Provider 1
\-> Identity Provider 2
该体系结构使您可以:
- 在不接触您的应用程序的情况下增加您的身份提供者
- 如果以后有第二个应用程序,则只需复制第一个应用程序的实现
- 您免费获得单点登录
- 您将获得一个声明转换引擎(如果使用的是ADFS之类的话)
- 如果使用类似ADFS的东西,则会获得内置的SAML 2协议(而不是必须手动使用下面提到的扩展来实现它)
当然,缺点是您现在还有其他需要维护的东西(ADFS服务器).
Of course the downside is that you now have something else to mantain (the ADFS server).
这篇关于在ASP.NET中使用SAML2.0的SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
