Azure Active Directory 与自定义 RBAC 的集成 [英] Azure Active Directory Integration with Custom RBAC
问题描述
我们有自己的网络应用程序,它根据本地定义并在本地数据库中维护的用户名和相关角色执行访问控制
We have our own web application which performs access control based on the username and associated roles defined locally and maintained in the local database
我需要将我们的应用程序与Azure AD"集成以使用单点登录 (SSO) 以便使用相同的用户名,我们也可以集成和访问其他 SaaS 应用程序.我想我可以使用Azure ADAL API"和Graph API"来实现这一点.
I need to integrate our application with "Azure AD" to avail single sign-on (SSO) so that with the same user-name, we can integrate and access other SaaS applications as well. I think I can achieve this with "Azure ADAL APIs" and "Graph APIs".
但是,我想了解如何为Azure AD"定义自定义用户属性和角色,以便在身份验证时与我们的应用程序共享属性和角色.这是我们的 Web 应用程序提供访问控制(基于用户 ID 和角色)而不在本地定义角色所必需的.我不确定如何实现这一目标?
However, I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally. I am not sure how to achieve this?.
请告诉我它是否可行以及实现相同目标的最佳选择是什么.
Please let me know if it is feasible and what is the best option to achieve the same.
推荐答案
我想了解如何定义自定义用户属性和Azure AD"的角色与我们共享属性和角色认证后申请.这是我们网站所必需的提供访问控制的应用程序(基于用户 ID 和角色)无需在本地定义角色.
I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally.
您需要使用 Azure AD 查看与应用程序角色相关的功能,以实现您的自定义 RBAC.它应该最有可能为您提供您正在寻找的东西.
You need to look at the Application Roles related functionality with Azure AD to implement your custom RBAC. It should most probably provide you what you're looking for.
顺便提一下,我见过一些案例,人们根据用户所属的组选择执行一些授权逻辑.这只是信息,而不是您需要做的事情.
On a side note, I've seen cases where people chose to do some authorization logic based on which groups the users belonged to. This is just information and not something you need to do.
我在此答案中分享了与角色和组相关的示例,但一定要先查看应用程序角色,一旦您清楚地了解它们,您就可以决定使用应用程序角色、组或角色和组的组合(很可能)用于您的授权策略.
I'm sharing samples related to both, Roles and Groups in this answer, but definitely look at Application Roles first and once you understand them clearly, you can decide to use Application Roles, Groups or a combination of both Roles and Groups (very possible) for your Authorization strategy.
Microsoft 文档 - 应用程序角色
目的 - 这些角色在应用程序清单中为您的组织正在开发并在您的 Azure Active Directory 中注册的应用程序定义.这些角色非常特定于您的应用程序,可以在应用程序的代码中用于为经过身份验证的用户实现授权逻辑.
Purpose - These roles are defined in the Application Manifest for an application that your organization is developing and that is registered in your Azure Active Directory. These roles are very specific to your application and can be used in application's code to implement Authorization logic for the authenticated users.
示例应用程序(使用此概念并执行您要查找的内容)-
Sample Application (that uses this concept and does what you're looking for) -
在使用 Azure AD 应用程序角色的 Web 应用程序中进行授权 &角色声明
快速说明
1) 向 Azure AD 注册应用程序后,您可以通过在 Azure AD 中编辑应用程序清单 (JSON) 来定义自定义角色(特定于您的应用程序).
以下是应用程序角色定义的示例 JSON:
1) Once you register your application with Azure AD, you can define custom roles (specific to your application) by editing the application manifest (JSON) in Azure AD.
Here's a sample JSON of what application role definition would look like:
"appRoles":
[
{
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"value": "SurveyCreator"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Administrators can manage the Surveys in their tenant",
"displayName": "SurveyAdmin",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"value": "SurveyAdmin"
}
]
2) 您将能够通过 Azure 门户或以编程方式将这些角色分配给用户/组/应用程序.(您可以控制角色允许的成员类型)
2) You will be able to assign these roles to Users/Groups/applications through Azure Portal or programmatically. (you could control the allowed member types for roles)
3) 现在,当最终用户登录到您的应用程序时,传入的 Azure AD 令牌将为您提供一组角色声明(基于分配给用户的任何角色),您可以在应用程序中做出授权决策.
3) Now when the end users sign in to your application, the incoming Azure AD token will provide you a collection of role claims (based on whatever roles are assigned to the user) and you can take authorization decisions in your application.
if (context.User.HasClaim(ClaimTypes.Role, "Admin")) { ... }
<小时>
组
群组可以有多个用户或其他群组作为成员.再次可以通过 Azure 门户或以编程方式管理组.
Groups
Groups can have multiple users or other groups as members. Again management of groups is possible through Azure Portal or programmatically.
注意:组完全独立于您的应用程序,即,即使没有您的应用程序,Azure AD 组也可以并且确实存在以实现对成员进行分组的目的.另一方面,应用程序角色非常特定于您的应用程序,除了您的应用程序之外,它们对任何人都没有多大意义.
NOTE: Groups are totally independent of your application, i.e. Azure AD groups can and do exist to serve a purpose of grouping members even without your application. Application Roles on the other hand are very specific to your application, they don't mean much to anyone except your application.
基于群组做出决策的示例应用
使用 Azure AD 组在 Web 应用程序中进行授权 &集体声明
这篇关于Azure Active Directory 与自定义 RBAC 的集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
