最好的方式来整合在一个Django应用ADFS 2.0认证 [英] Best way to Integrate ADFS 2.0 authentication in a Django application

问题描述

我需要一个Django应用程序中使用活动目录联合服务（ADFS）身份验证。我将创建一个认证后端，但工具会有人建议我做它尽可能快，否则会更好从头开始实现身份验证？

I need to use Active Directory Federation Services (ADFS) authentication in a Django application. I will create an authentication backend, but which tool would someone recommend me to make it as fast as possible, or would it be better to implement authentication from scratch?

我已经阅读从微软网站的文章，并检查：

I have read some articles from the Microsoft website, and have checked:

• HTTP：//claimsid.$c$cplex.com/

http://msdn.microsoft.com/en-us /library/ff359102.aspx

但是，即使他们解释有关ADFS和SSO一些核心概念和想法，这些例子在我看来，更.NET堆栈集中。

But even though they explain some core concepts and ideas about ADFS and SSO, the examples are in my opinion more .NET stack focused.

推荐答案

在.NET编写一个基本的客户端和嗅探交通会给你所有必要的线索，真正落实任何的技术流。

Writing a basic client in .NET and sniffing the traffic would give you all necessary clues to actually implement the flow in any technology.

基本上，你的Django应用程序具有端点ADFS使用即可返回。您在注册ADFS端点（如 https://myapp.com/authgateway ）。

Basically, your django app has an endpoint adfs uses to return back. You register the endpoint in adfs (like https://myapp.com/authgateway).

然后，您的应用程序通过重新初始化流<一个href=\"https://adfs.address/adfs/ls?wa=wsignin1.0&wtrealm=https://myapp.com/authgateway\">https://adfs.address/adfs/ls?wa=wsignin1.0&wtrealm=https://myapp.com/authgateway

Then, your application initializes the flow by redirecting to https://adfs.address/adfs/ls?wa=wsignin1.0&wtrealm=https://myapp.com/authgateway

ADFS采请求和验证凭据。然后，它会创建一个SAML令牌并重定向到包含令牌POST请求您的应用程序。

Adfs picks the request and validates credentials. Then it creates a SAML token and redirects back to your application with a POST request containing the token.

然后是困难的部分，SAML令牌是一个纯XML可以用来建立本地用户会话。其中一个索赔包含ADFS提供的用户名，其他债权可以包含角色，电子邮件，不管你配置在ADFS身边。

Then comes the difficult part, the SAML token is a plain xml you can use to establish a local user session. One of the claims contains user name provided by adfs, other claims can contain roles, the email, whatever you configure at the adfs side.

不过，到prevent锻造，你需要的验证标记。验证包括在检查XMLDSIG签名和验证签名证书指纹的ADFS签名证书的指纹相匹配。根据对X509证书和XML验证多少知识，你有这可以很容易或者困难。试图找到在Django社区的支持。

But, to prevent forging, you need to validate the token. The validation consist in checking the XMLdsig signature and verifying that the signing certificate thumbprint matches the thumbprint of the adfs signing certificate. Depending on how much knowledge on x509 certificates and xml validation you have this can be easy or difficult. Try to find any support in django community.

不管怎样，正如你所看到的基本流程很简单，就是两次重定向的问题，从您的应用程序302 ADFS和ADFS回发到你的应用程序。虽然我们在.NET中做到这一点每天，我们的合作伙伴做在PHP / Java的我们的指导下进行。

Anyway, as you can see the basic flow is simple, is a matter of two redirects, a 302 from your application to adfs and a POST back from adfs to your application. Although we do this daily in .net, our partners do it in php/java under our guidance.

这篇关于最好的方式来整合在一个Django应用ADFS 2.0认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！