Azure Active Directory 回复 URL 未按预期工作 [英] Azure Active Directory Reply URL not working as expected

查看:21
本文介绍了Azure Active Directory 回复 URL 未按预期工作的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在 Azure Active Directory 网站配置回复 URL 中指定了两个 URL.一个在我运行本地代码时重定向到我的本地主机环境,一个在我运行 prod 网站时重定向到我的 Azure 托管网站.但是 Azure Active Directory 似乎忽略了该设置.它只使用一个或另一个 URL,但不会同时使用两者.我看到了一个描述问题和可能的解决方案的链接,但它对我不起作用.链接是:

I have specified two URLs in my Azure Active Directory website configuration Reply URL. One to redirect to my localhost environment when I am running local code and one to redirect to my Azure hosted website when I am running the prod website. But Azure Active directory seems to be ignoring the setting. It only uses one or the other URL but not both. I saw a link describing the problem and a possible solution but it didn't work for me. The link is:

http://samritchie.net/2013/07/17/azure-ad-single-sign-on-with-multiple-environments-reply-urls/

如何设置 Azure Active Directory 以重定向到适当的环境?

How do I setup Azure Active Directory to redirect to appropriate environment?

推荐答案

您没有提供有关您的实施的详细信息,但这里提供了适用于任何情况的解决方案.

You are not providing details about your implementation, but here is a solution for any case.

您可能正在使用 WIF 配置 - 这完全是您的 web.cofing 中的配置,或者您可能正在使用 OWIN,其中配置位于您的 Config.Auth.cs 文件中.无论哪种方式,Azure AD 的 STS 都将只使用默认回复 URI,而不管调用来自何处.您必须显式设置 ReplyUrl 以指示 Azure AD 将用户返回到已注册 回复 URL 之一.

You could be using WIF config - which is entirely configuration in your web.cofing, or you could be using OWIN, where configuration is in your Config.Auth.cs file. In either way, the STS of Azure AD will only use the default reply URI, regardless of where the calls are coming from. You have to explicitly set ReplyUrl to instruct the Azure AD to return the user back to one of the registered reply URLs.

WIF 解决方案

当您使用 WIF 时,您的网络配置包含以下部分:

When you use WIF, your web config contains following section:

  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="true" />
      <wsFederation passiveRedirectEnabled="true" 
                    issuer="https://login.windows.net/yourtenant.com/wsfed" 
                    realm="https://yourtenant.com/WebSingleTenant" 
                    requireHttps="true" />
    </federationConfiguration>
  </system.identityModel.services>

有点不明白!您可以将 reply 添加到 wsFederation 标记以指示 Azure AD 获取新的回复 URL:

which is a bit incomplere! You can add a reply to the wsFederation tag to instruct the Azure AD for the new reply URL:

  <wsFederation passiveRedirectEnabled="true" 
                issuer="https://login.windows.net/yourtenant.com/wsfed" 
                realm="https://yourtenant.com/WebSingleTenant" 
                reply="http://any_registered_url/"
                requireHttps="true" />

请注意,此处您只能使用注册回复网址.

Note that here you can only use a registered reply URLs.

要修改回复属性,您可以像处理所有其他特定于部署的应用设置和连接字符串一样安全地使用 web.config 转换.

To modify reply attribute you can safely use web.config transformations as you do for all your other deployment specific app settings and connection string.

OWIN 解决方案

当您使用 OWIN 时,您将拥有 Startup.Auth.cs 文件,否则您的身份验证配置将直接放入您的 Startup.cs 文件中.它看起来像下面这样:

When you use OWIN, you would have Startup.Auth.cs file, or your authentication configuration will be directly into your Startup.cs file. It would look something like the following:

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.
            AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri
            });
    }

注意 OpenIdConnect 身份验证的配置设置.您可以添加 RedirectUri 属性来指示将用户重定向到何处:

Note the configuration settings for OpenIdConnect authentication. You can add a RedirectUri property to instruct where to redirect the user to:

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                RedirectUri = "any_registered_redirect_uri"
            });

您可以将 RedirectUri 分配给 Web.Config 文件中的设置,您也可以使用 Web.Config 转换来处理该设置.

You can assign RedirectUri to a setting in Web.Config file, which also will you can handle using Web.Config transformations.

这篇关于Azure Active Directory 回复 URL 未按预期工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆