使用AAD将JWT交换SAML [英] Exchange SAML for JWT with AAD
问题描述
我有一个内部应用程序,允许用户使用Azure AD登录.进行身份验证时,将返回SAML断言.但是,应用程序进行的某些调用需要JWT.当用户登录时,What是我获得JWT的最佳方法吗?还是我可以将SAML换成JWT?
I have an internal app that allows users to sign in using Azure AD. On authentication, a SAML assertion is returned. However, some of the calls that the application makes require a JWT. WHat is the best way for me to get a JWT when a user signs in? Or is there a way for me to exchange the SAML for a JWT?
推荐答案
免责声明:我不擅长这些东西.我仍然在学习它,并且还在努力解决类似的问题.就是说,这是我的理解.
Disclaimer: I'm not expert an any of this stuff; I'm still learning it too and struggling with a similar problem. That said, here is my understanding.
我非常确定SAML和JWT之间没有连接.鉴于SAML 2.0可以追溯到2005年并且JWT于2012年开始,所以这并不奇怪.因此从逻辑上讲,SAML规范中对JWT的任何说法都是不可能的.
I'm pretty sure there is no connection between SAML and JWT. Not a surprise, given that SAML 2.0 dates back to 2005 and JWT got started around 2012. So it's logically impossible for the SAML spec to say anything about JWTs.
如果我的理解是正确的,那么您有两种选择:
If my understanding is correct, you have two options:
-
请勿直接使用SAML.与其与SAML IdP(身份提供程序)进行交互,而不是与充当身份验证代理的提供程序一起使用OpenID Connect和OAuth 2.0.配置代理以充当您选择的SAML IdP的服务提供者.配置您的应用程序以充当身份验证代理上的依赖方(我认为是OAuth术语?).然后您的应用程序一直是OAuth 2.0/OpenID Connect/JWT.您与SAML的唯一交互是配置身份验证代理.主要缺点是您现在必须选择身份验证代理以及SAML IdP并为此付费.
Do not use SAML directly. Instead of interacting with a SAML IdP (identity provider), use OpenID Connect and OAuth 2.0 with a provider that acts as an authentication broker. Configure the broker to act as service provider to your chosen SAML IdP. Configure your application to act as relying party (OAuth terminology, I think?) on the authentication broker. Then your app is OAuth 2.0/OpenID Connect/JWT all the way down. Your only interaction with SAML is configuring an authentication broker. Main downside is now you have to select and pay for an authentication broker as well as a SAML IdP.
编写您自己的身份验证/授权服务以使用SAML声明并发出JWT.无论如何,这可能都是必需的,具体取决于您需要在JWT中表示授权信息的方式.
Write your own authentication/authorization service to consume SAML assertions and issue JWTs. This might be necessary anyways, depending on how you need to represent authorization info in your JWTs.
这篇关于使用AAD将JWT交换SAML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
