配置WIF与窗体身份验证AD FS [英] Configure WIF for AD FS with forms authentication

问题描述

我们有一个ASP.NET Web窗体（.NET 3.5）的网站应用程序使用窗体身份验证。该应用程序已得到它使用不同的SSO方法（如CAS）来验证用户定制不同的认证服务，这些都为不同的客户实施。现在的要求是实现与出使得核心改变窗体身份验证配置的AD FS基于身份验证服务。

我的问题：

1. 如何配置SAM在.net 3.5网站


2. 而不是重定向到STS的，是有可能从我的登录页面，通过用户名和密码，AD FS代理并获得SAML回应？


3. 我的目的是（如聘请数）从SAML响应中读取一个自定义属性值，并与当前的认证模块进行。这可能吗？

这个问题是基于 AD FS的讨论，形成鉴定，任何帮助将大大AP preciated。

解决方案

1. 我张贴在$ p $答案的片段pvious问题应该更多的还是在.NET 3.5的工作少（一些API已经改变，但并不多，所以你不能看着办吧）




2. 虽然这是可能的，我想这是一个坏主意。这是因为，ADFS可以被配置为使用认证比用户名/密码的一些其它装置。例如，它们可以使Windows集成身份验证。或者也可以委托认证到使用涉及短信双因素身份验证其他供应商。这一切都意味着更可靠的跟随在被动 WS-喂养，你的应用程序重定向到提供商的登录页面，而不是将通过您的应用程序提供者收集的用户名/密码。




3. 在剪断SAML验证与 ClaimsIdentity 的再presents从令牌的主要结束。这就是你刚才列举索赔和搜索你想要的：

     VAR身份= ..验证SAML令牌..的foreach（VAR索赔identity.Claims）
     如果（claim.Type ==员工号声明类型）
       使用主张设立本地窗体身份验证会话
    

We have an ASP.NET Web Forms(.Net 3.5) website application uses forms authentication. The application has got different customized authentication services which uses different SSO methods(eg. CAS) to validate user, those were implemented for different clients. Now the requirement is to implement an AD FS based authentication service with out making core changes to the Forms Authentication configurations.

My questions:

1. How to configure SAM in .Net 3.5 website
2. Instead of redirecting to STS, is it possible to pass user name and password from my login page to AD FS proxy and get saml response?
3. My intention is to read a custom attribute value(eg. Employ number) from the saml response and proceed with the current authentication module. Is it possible?

This question is based on a discussion in AD FS and forms Authentication, any help will be greatly appreciated.

解决方案

1. The snippet I posted as an answer in the previous question should more or less work under .net 3.5 (some apis have changed but not that much so you couldn't figure it out)

2. Although this is possible, I guess this is a bad idea. This is because ADFS could be configured to use some other means of authentication than username/password. For example, they could enable windows integrated authentication. Or they could delegate the authentication to another provider that uses two-factor auth involving text messages. All this means it is more reliable to follow the passive ws-fed, where your app redirects to the login page of the provider rather than passing the username/password collected by your app to the provider.

3. The SAML validation in the snipped ends up with the ClaimsIdentity that represents the principal from the token. This is where you just enumerate claims and search for the one you want:

   var identity = .. Validate saml token ..
   
   foreach ( var claim in identity.Claims )
     if ( claim.Type == employee number claim type )
       Use the claim to establish a local forms auth session
   

这篇关于配置WIF与窗体身份验证AD FS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！