Web应用程序 - 用户身份验证跨域 [英] Web Application - User Authentication Across Domains

问题描述

我们的一位客户已经接近我们开发的应用程序，和往常一样的范围与日俱增。

最初，它开始为他们的企业网络内局限于专门的应用。用户认证是由aquiring用户的Windows登录和使用SQLServer数据库来承载的访问权限确定。所有挺得笔直向前。

他们现在希望以下内容：

- 应用基于
是网络
- 到企业网络
- 用户身份验证以相同的方式工作（不使用密码，只是Windows登录）

要进一步复杂化，他们希望应用程序的各种功能是由另一个应用程序，它只是HTTP请求的火灾使用。

- 在公司网络
- 用户推出公司应用

- 用户进程客户信息

- 用户点击一个按钮

- 企业应用程序触发一个HTTP请求到我们的托管网络应用

- HTTP请求包括
必要的身份验证和客户详细信息
- 用户认证完成'自动'（无人工干预）

- 客户数据的安全传输

他们非常热衷于为我们为他们做的这是我们最初的方法是非常多他们想要的东西。他们还希望我们这样做，即使这样的托管Web应用程序是不是我们的speciallity。所以，我现在接近专家;

- 有没有人对如何处理这个
什么建议吗？
- ？有没有人有关于可能的陷阱的警告，以避免

解决方案

基本上他们谈论的联合访问。你将举办自己的网络内的认证点反过来令牌转发给您的应用程序，对其进行解析，并允许（或停止访问）。这是pretty标准，而MS在日内瓦为此提供了良好的基础框架。这也将为Web服务调用工作提供他们可以改变他们的应用程序中使用WSFed作为一种协议，跟我们的安全令牌服务，默默发出身份验证令牌。在大多数情况下，你会使用SAML这一点。它也有认证信息永远不会他们的企业网络之外的额外的奖励。

基于证书的验证的建议是一个有趣的，但需要推出一个PKI基础更多的工作。这可能是昂贵的

的CardSpace是行不通的 - 因为他们似乎想它不是沉默。 OpenID是一个非首发为好，它不是沉默无论是。

加分，如果你正在寻找天青 - 天青的认证位也使用SAML / WSFed引擎盖下，并拥有日内瓦位吧。所以，如果你移动到云中，然后每个客户将只需要他们的网络中配置一个登录页面 - 所有你需要做的就是信任的页面，根据您的规则发出认证令牌你和分析它们

A client of ours has approached us to develop an application, and as usual the scope grows day by day.

Initially it started as a dedicated app confined within their corporate network. User Authentication was established by aquiring the user's Windows login and using a SQLServer Database to host the access rights. All quite straight forward.

They now want the following:
- Application to be Web Based
- Application to be hosted outside of the corporate network
- User authentication to work in the same way (no using passwords, just windows logins)

To complicate it further, they want the various functions of the application to to be usable by another application which just fires of HTTP requests.
- User logs in to corporate network
- User launches corporate application
- User processes customer details
- User clicks a button
- Corporate Application fires a HTTP request to our hosted web app
- HTTP request included necessary authentication and customer details
- User authentication is completed 'automatically' (No human involvement)
- Customer data is transmitted securely

They are very keen for us to do this for them as our initial approach was very much what they wanted. They still want us to do this even though such hosted web apps are not our speciallity. So I now approach the experts;
- Does anyone have any advice on how to approach this?
- Does anyone have any warning about the possible pitfalls to avoid?

解决方案

Basically they're talking about federated access. You would host an authentication point inside their network which in turn forwards a token to your application which parses it and allows (or stops access). This is pretty standard, and MS provide a good base for this in the Geneva Framework. This will also work for web service calls providing they can change their application to use WSFed as a protocol and talk to a security token service which silently issues the authentication token. In most cases you'll be using SAML for this. It also has the added bonus of authentication details never going outside of their corporate network.

The suggestion of Certificate Based authentication is an interesting one, but requires more work in rolling out a PKI infrastructure. This can be costly.

CardSpace won't work - it's not silent as they seem to want. OpenID is a non starter as well, it's not silent either.

Extra points if you're looking at Azure - the authentication bits of Azure also use SAML/WSFed under the hood, and has bits of Geneva in it. So if you moved to the cloud then each of your customers would just have to configure a login page within their network - all you would have to do is trust that page to issue authentication tokens to you and parse them according to your rules.

这篇关于Web应用程序 - 用户身份验证跨域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！