联合认证(单点登录),用于在Azure上一个WCF REST / HTML服务 [英] Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
问题描述
我做了一个简单的WCF REST的服务,它发布到Azure和激活SSL使用X.509证书。
I have made a simple WCF-REST-service, published it to Azure and activated SSL with a X.509-certificate.
我想安装此服务一些认证为好。我可以通过发送明文凭据头,因为所有的流量现在是加密很容易解决这个问题,但我打算使用某种类型的联合身份验证,而不是让用户可以利用单点登录的。
I'd like to setup some authentication for this service as well. I could solve this very easily by sending a credentials-header in clear text since all traffic is now encrypted, but I am planning to use some kind of federated authentication instead so that users can take advantage of Single Sign-On.
此领域相对较新,但似乎已经被使用过时的技术遍野,使得它很难有人经验少找到当前的最佳实践和坚实的工具集。我希望有显著经验有人可以提供一些见解,给我们所有人一个上最新的JumpStart。
This field is relatively new and yet seems to already be littered with obsolete technology, making it difficult for someone with little experience to find current best practices and solid toolsets. I'm hoping somebody with significant experience can provide some insight and give us all an up-to-date jumpstart.
时的OpenID的唯一技术呢?
Is OpenId the only technology for this?
可以在相对缺乏经验又合理开发智能化实现了基于这几个教程?或者,底层技术过于复杂,使得第三方API /框架更可取? (如DotNetOpenAuth)
Can a relatively inexperienced yet reasonably intelligent developer implement this based off a few tutorials? Or are the underlying technologies too complex, making a third-party API/framework more desirable? (like DotNetOpenAuth)
有关Azure和WCF具体地讲,就是Windows Azure的活动目录访问控制真的有必要,还是那样像乱打一只苍蝇用大锤?
For Azure and WCF specifically, is "Windows Azure Active Directory Access Control" really necessary, or would that be like swatting a fly with a sledgehammer?
推荐答案
认证,授权和身份联合为非常复杂的问题,不应掉以轻心。之所以安全是一个大的,复杂的问题是,它非常难以得到正确的!
Authentication, Authorization and identity federation are HUGELY complex subjects and should not be taken lightly. The reason security is a big, complex problem is that its extraordinarily hard to get right!
如果您还没有在网络身份与放大量经验;安全,不要试图推出自己的身份验证机制:正确,安全地实现一个身份验证机制是非常,非常努力。
If you don't already have a great deal of experience in internet identity & security, don't try and roll your own auth mechanism: Correctly and securely implementing an authentication mechanism is very, VERY hard.
例如,在上面的场景中,你还没有占到确保您在HTTP头通过vim的信任状是匿名的,以$ P $他们psent并要每个站点,他们在一段时间后过期,它们不能被重放,它们不能被恶意第三方等来合成。
For example, in your scenario above, you've not accounted for ensuring that the creds you pass in the HTTP header are anonymized for each site you want to present them to and that they expire after a period of time, that they cannot be replayed, that they cannot be synthesized by a malicious 3rd party, etc.
我强烈鼓励您使用pre-现有authn机制和配套的框架。事实上,因为你是一个Azure的用户,最简单的方法,以最终用户的身份联合添加到您的网站是使用的新authn功能的Windows Azure移动服务
I strongly encourage you to use a pre-existing authn mechanism and supporting framework. In fact, since you're an Azure user, the easiest way to add end-user identity federation to your site is to use the new authn features of Windows Azure Mobile Services
如果你仍然想了解更多关于身份和身份联合,我建议你选择正确的验证类型使用之前研究这个问题:
If you still want to learn more about identity and identity federation, I encourage you to research this subject before choosing the right type of authentication to use:
开始使用指南基于声明的标识和访问控制(第二版) 。这会给你最的背景和必要的知识,以充分认识这个问题作出正确的决定。
Start with A Guide to Claims-Based Identity and Access Control (2nd Edition). This will give you most of the background and knowledge necessary to understand this subject sufficiently to make sound decisions.
一旦你得到了关于这个问题的一个良好的抓地力,我建议你阅读了维托里奥Bertocci曾在 HTTP写了一切:// cloudidentity .COM 。
Once you've got a good grip on this subject, I recommend reading everything that Vittorio Bertocci has written over at http://cloudidentity.com.
心连心。
这篇关于联合认证(单点登录),用于在Azure上一个WCF REST / HTML服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
