Web 应用程序的单点登录 [英] Single Sign On for a Web App
问题描述
一个多月以来,我一直试图了解这个问题是如何解决的.我真的需要想出一个可行的通用方法.我有一个理论,但我不确定这是最简单(或正确)的方法,而且我找不到任何信息来支持我的想法.
I have been trying to understand how this problem is solved for over a month now. I really need to come up with a general approach that work. I have a theory, but I'm just not sure it's the easiest (or correct) approach and I haven't been able to find any information to support my ideas.
场景如下:
1) 您有一个复杂的网络应用程序,可以在订阅的基础上提供安全的内容.
1) You have a complex web application that offers secure content on a subscription basis.
2) 用户需要使用用户名和密码登录您的应用程序.
2) Users are required to log in to your application with user name and password.
3) 您向已经拥有企业身份验证技术(例如 Active Directory)的大公司销售产品.
3) You sell to large corporations, which already have a corporate authentication technology (for example, Active Directory).
4) 您希望与企业身份验证机制集成,以允许其用户无需输入用户名和密码即可登录您的 Web 应用.
4) You would like to integrate with the corporate authentication mechanism to allow their users to log onto your Web App without having to enter their user name and password.
现在,您提出的任何解决方案都必须提供一种机制:
Now, any solution you come up with will have to provide a mechanism for:
- 添加新用户
- 删除用户
- 更改用户信息
- 允许用户登录
理想情况下,当企业客户对其自己的身份验证进行相应更改时,所有这些都会自动"发生.
Ideally, all these would happen "automagically" when the corporate customer made the corresponding changes to their own authentication.
现在,我有一个理论,我认为这样做的方法(至少对于 Active Directory)是让我编写一个客户端应用程序,该应用程序与客户的 Active Directory 集成以跟踪目标更改,然后传达这些更改更改我的 Web 应用程序.我认为,如果这种通信是通过我的网络应用程序提供的网络服务完成的,那么它将保持不可破解的安全级别,这显然是这些企业客户的要求.
Now, I have a theory that the way to do this (at least for Active Directory) would be for me to write a client-side app that integrates with the customer's Active Directory to track the targeted changes, and then communicate those changes to my Web App. I think that if this communication were done via Web Services offered by my web app, then it would maintain an unhackable level of security, which would obviously be a requirement for these corporate customers.
我发现了一些有关名为 Active Directory 联合身份验证服务 (ADFS) 的 Microsoft 产品的信息,这对我来说可能是也可能不是正确的方法.它似乎有点笨重,并且有一些可能不适用于所有客户的要求.
I've found some information about a Microsoft product called Active Directory Federation Service (ADFS) which may or may not be the right approach for me. It seems to be a bit bulky and have some requirements that might not work for all customers.
对于其他现有的 ID 场景(如雅典和 Shibboleth),我认为不需要客户端应用程序.这可能只是绑定到现有 ID 服务的问题.
For other existing ID scenarios (like Athens and Shibboleth), I don't think a client application is necessary. It's probably just a matter of tying into the existing ID services.
如果有人对我在这里提到的任何内容提出任何建议,我将不胜感激.特别是,如果您能告诉我我关于提供与服务器端 Web 服务通信的客户端应用程序的理论是否正确,或者我是否完全走错了方向.此外,如果您能指出任何解释如何执行此操作的网站或文章,我将不胜感激.到目前为止,我的研究成果并不多.
I would appreciate any advice anyone has on anything I've mentioned here. In particular, if you can tell me if my theory is correct about providing a client-side app that communicates with server-side Web Services, or if I'm totally going in the wrong direction. Also, if you could point me at any web sites or articles that explain how to do this, I'd really appreciate it. My research has not turned up much so far.
最后,如果您能告诉我目前提供此服务的任何 Web 应用程序(特别是与公司 Active Directory 相关的应用程序),我将不胜感激.我想知道其他 B2B 网络应用程序(例如 salesforce.com 或 hoovers.com)是否为其企业客户提供类似的服务.
Finally, if you could let me know of any Web applications that currently offer this service (particularly as tied to a corporate Active Directory), I would be very grateful. I am wondering if other B2B Web app's like salesforce.com, or hoovers.com offer a similar service for their corporate customers.
我讨厌在黑暗中,非常感谢你能发出的任何光......
I hate being in the dark and would greatly appreciate any light you can shed ...
杰瑞米
推荐答案
Shibboleth 旨在完全支持这种情况.但是,它将依赖于您客户的公司实施身份提供者机制.目前,这仅在大学中很常见.此外,如果您想要用户信息(不仅仅是匿名标识符),您需要公司同意向您发布这些属性.
Shibboleth is designed to support exactly this scenario. However it will rely on your customers' companies implementing the identity provider mechanisms. At the moment, that's only really common in universities. Further, if you want user information (any more than just a pseudonymous identifier), you'd need the company to agree to release those attributes to you.
我很难相信很多公司会向您开放他们的企业身份验证系统,只是为了提供 SSO.
I find it hard to believe that many companies would open their corporate authentication system to you, just to provide SSO.
您可能会发现最好依靠 OpenID 或类似工具,并使用记住我"cookie 来减少人们需要输入密码.
You might find it better to rely on OpenID or similar, and using a "remember me" cookie to reduce the need for people to enter passwords.
这篇关于Web 应用程序的单点登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
