在受信任的第三方WIF环境应用程序授权 [英] Application authorization in a trusted third party WIF environment
问题描述
所有,
我对一些落后的Windows Intentity基础概念和整体架构适合于第三方有点糊涂了信任的环境至于授权。我想我可能错过了一些东西,但我看不出它是如何在现实世界中工作。
I'm a little confused over some of the concepts behind Windows Intentity Foundation and the overall architectural fit in a third-party "trusted" environment as regards Authorisation. I think I may have missed something but I can't see how it would work in the real world.
作为一个例子,我们有许多门户后面的系统。客户可以访问门户,并根据他们的权限,他们可以访问每个不同的应用的功能。在当前情况下,我们可能有一个通过授权的身份/委托人(根据自定义的认证店),以每个应用程序的单一认证步骤(用户ID /密码)。然后,应用程序使用此pre-验证的身份来查找对各自的角色以允许用户访问某些功能。
As an example, we have a number of systems behind a portal. Customers can access the portal and, based on their permissions they can access features of each different application. In the current scenario, we may have a single authentication step (user id/password) that passes the authorised identity/principal (against a custom authentication store) to each application. The application then uses this pre-authenticated identity to look up against its own roles to allow users access to certain features.
这是所有内部管理 - 即每个应用程序了解自己的角色,所以每个应用程序都有一个用户映射到角色自身的管理功能
This is all managed internally - i.e. each application understands its own roles so each application has its own admin function that maps a user to a role.
好了,所以它的工作原理,但一个痛苦的管理和我们的客户必须记住我们的门户网站用户ID和密码。
Ok, so it works but is a pain to manage and our customer has to remember our portal user id and password.
我想,让我们从他们的STS信任令牌和认证是所有隐藏移动到一个可信的环境。但是,我根本无法看到授权将如何工作 - 我们要求每一个第三方实施的STS角色与令牌传递下去。我们已经转移了管理员对他们可能无论如何打破他们的安全模型。
I'd like to move to a trusted environment so that we trust the token from their STS and authentication is all hidden. However, I simply cannot see how Authorisation will work - we're asking that each third party implement roles in their STS to pass along with the token. We've shifted the admin to them which may break their security models anyway.
所以,我们不能授权委托给他们,还需要一个值得信赖的令牌的地图管理对应用程序需要的角色。
So we cannot delegate authorisation to them, and still need to manage the map of a trusted token to the roles the application requires.
所以值得信赖的STS,即用户A离开值得信赖的公司123和用户B加入接管,而他们不必等待我们做任何更改.....只是伟大的好处是不实际在现实世界中。
So the great benefit of trusted STS, whereby user A leaves trusted company 123 and user B joins to take over, and they don't have to wait for us to make any changes..... just isn't practical in the real world.
这是一种耻辱,因为我真的很喜欢这个想法。
Which is a shame, as I really like the idea.
我错过了一些基本的东西?
Have I missed something fundamental?
推荐答案
要回答我的问题,我跟这个微软架构师,他大致同意。您可以创建规则,以第三方数据你的应用需求映射到属性,但如果第三方不ppared改变他们的系统(如活动目录)$ P $那么你就完蛋了。
To answer my own question, I spoke to a Microsoft architect about this and he broadly agreed. You can create rules to map third party data to the properties your app needs, but if the third party is not prepared to change their systems (e.g. Active Directory) then you're stuck.
因此,海事组织的第三方同意新的属性添加到他们的AD域来支持你的应用程序是最小的机会,它留下的精粹pretty大洞支撑WIF和值得信赖的STS。
Therefore, IMO the chance of a third party agreeing to add new properties to their AD domain to support your app is minimal, it leaves a pretty big hole in the ethos underpinning WIF and trusted STS.
这篇关于在受信任的第三方WIF环境应用程序授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
