Azure的WCF服务与Azure的Active Directory验证 [英] Azure WCF Service with Azure Active Directory Authentication
问题描述
我知道这个问题似乎类似于其他的儿子在这里,但我已经试过张贴在这里的答案:<一href=\"http://stackoverflow.com/questions/15744763/securing-wcf-4-5-service-using-azure-acs-2-0/15745564#15745564\">Securing WCF服务4.5使用Azure的ACS 2.0
在这里:<一href=\"http://stackoverflow.com/questions/16241232/federated-authentication-single-sign-on-for-a-wcf-rest-html-service-on-azure\">Federated认证(单点登录),用于在Azure上一个WCF REST / HTML服务
答既不似乎是相关的。
下面是我有这么远。</ P>
- 各种辅助角色的Azure云服务,并与REST和SOAP端点的WCF Web角色
- 一对夫妇的用户 蔚蓝的Active Directory帐户
- ACS命名空间。
WCF服务将通过几个不同的公司使用,但除此之外关闭。我们选择蔚蓝活动目录为WCF服务和其他应用提供SSO。
这是我想做的事:
- 创建用户/密码使用WCF服务每家公司
Azure的Active Directory中。 - 仅允许企业使用有效的用户名和密码对来获得访问令牌
- 有每个公司利用自己的令牌来访问WCF方法。
我不认为这将是难以完成的,但所有的教程在那里似乎是IIS托管或自托管服务有一个控制台应用程序。
我迄今所做的:
- 添加WCF服务在蔚蓝的活动目录集成的应用程序
- 创建于ACS命名testAAD一个新的身份提供者并增加从集成应用的WS-联合会元数据的提供者
- 添加使用新创建的testAAD身份提供商依赖方应用程序
- 增加了一个规则组与使用testAAD身份提供商和默认设置直通规则。
请参阅选项1 了解更多详情rel=\"nofollow\">。
我需要知道我所做的就是随时随地接近正确,如果是,我怎么让WCFservice开始使用这些设置。
其他信息:
- WIF 4.5
- VS2012临
- C#
任何相关的教程链接或一般性的建议将是巨大的。先谢谢了。
更新:
我想补充更多的信息,WCF服务是由许多不同的网站张贴。我们的每一个客户都会从自己的web表单收集数据,然后或者使用C#code添加服务引用,或如果他们使用PHP通过像袅袅发布数据到一个URL。该服务同时具有REST和SOAP端点。因此,例如,他们会发送XML或SOAP请求mynamespace.cloudapp.net/myservice.svc/servicemethod~~V。我要么寻找让他们这一要求送他们的用户名和密码并验证在实际WCF方法这些证书,或让他们请求身份验证令牌,然后发送身份验证令牌与他们的要求。
更新2
我想我找到了失落的一角。为了使用Active Directory作为身份提供者,它看起来像我需要建立一个ADFS服务器。我曾认为ADFS服务器被设置已经与湛蓝的Active Directory帐户,但显然那不是如此呢?有没有办法做到这一点没有ADFS服务器?
您还没有涉及的主要问题是怎么会这些公司使用WCF服务?。通过您的Web门户,或者通过富客户端(如的WinForms / WPF)?
如果是富客户端,你可以看看<一个href=\"http://www.cloudidentity.com/blog/2012/12/17/using-aal-to-secure-calls-to-a-classic-wcf-service-2/\"相对=nofollow>这个博客帖子?它显示了如何使用安全令牌WCF服务,并从一个WPF应用程序访问该服务。
如果您打算只允许通过您的Web门户访问WCF服务,那么图片是有点不同。您可以先通过Azure的AD保护您的门户网站,并得到用户的令牌。然后使用该令牌对WCF进行身份验证。
但是,在一个真正的网络情况下,客户端将拨打电话的服务实际上是 Web服务器 。如果是这样的话,我只想保护我的Azure与AD门户网站。然后,保护我的WCF用一个访问令牌。我可以从一个服务标识该标记在我的Azure AD访问控制。而提供这种服务令牌从我的 Web服务器每次调用WCF的一部分。为了增加审计(与合规),我也会送原装用户令牌,跟踪谁访问什么和什么时候的。
I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0
And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
Ans neither seem to be relevant.
Here is what I have so far.
- An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
- An azure active directory account with a couple users
- ACS namespace.
The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.
Here is what I want to do:
- Create users/passwords for each company using the WCF service in Azure Active Directory.
- Allow only companies with a valid username and password pair to obtain an access token
- Have each company use their token to access the WCF methods.
I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.
What I have done so far:
- Added the WCF service as an integrated app in azure active directory
- Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
- Added a relying party application that uses the newly created testAAD identity provider
- Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.
See option 1 here for more details. I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.
Other Info:
- WIF 4.5
- VS2012 Pro
- C#
Any relevant tutorial links or general advice would be great. Thanks in advance.
Update: Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.
Update 2 I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?
The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?
If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.
If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.
But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.
这篇关于Azure的WCF服务与Azure的Active Directory验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
