将 Azure AD 身份验证与表单身份验证混合使用 [英] Mixing Azure AD authentication with Forms authentication
问题描述
我有一个使用表单身份验证的现有 MVC5 应用程序.我的一半用户是 Azure AD 中也存在的内部员工.我想让他们选择对 AD 进行身份验证,但我不希望另一半必须通过 AD.我所看到的所有使用 Azure AD 身份验证的示例似乎都是全有或全无的事情.
I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.
我不能在我的登录表单中添加一个按钮,让 AD 用户转到 Azure 登录并使用令牌重定向回来吗?我的另一个选择是,如果他们是 Azure 用户,请从我的登录表单中获取他们的电子邮件/密码,然后尝试使用它连接到 AD.这似乎是一种风险,因为我会接触到他们的实际网络凭据.
Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.
推荐答案
我还没有完成它,但我已经做得足够了,这对我来说就像是解决方案.我将为 Azure AD 用户添加一个指向我的登录页面的链接,该链接指向此处定义的 AD OpenID url:
I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:
我取回的 id_token 在解压后识别用户身份,详情如下:
The id_token that I get back identifies the user after it's unpacked as detailed here:
这篇关于将 Azure AD 身份验证与表单身份验证混合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
