SaaS的产品Active Directory身份验证 [英] Active Directory authentication for SaaS product

问题描述

这是最好的办法了一定的理论帮助，使一个SaaS产品来验证用户对租客的内部Active Directory（或其他LDAP）服务器之后。

After some theoretical help on the best approach for allowing a SaaS product to authenticate users against a tenant's internal Active Directory (or other LDAP) server.

应用程序托管，但要求存在住户可以委托认证给他们现有的用户管理提供商，如AD或OpenLDAP的等工具，如微软在线托管的Exchange支持企业AD同步。

The application is hosted, but a requirement exists that tenants can delegate authentication to their existing user management provider such as AD or OpenLDAP etc. Tools such as Microsoft Online's hosted exchange support corporate AD sync.

假设客户不希望转发端口389的域控制器，什么是最好的办法了吗？

Assuming the client doesn't want to forward port 389 to their domain controller, what is the best approach for this?

推荐答案

做一些研究和交谈几句系统管理员会是谁管理这个之后，我们已经谈妥了上两种选择，这应该满足大多数人。我将描述他们在这里为那些谁也感兴趣的结果。

After doing some research and talking to a few system admins who would be managing this, we've settled on an two options, which should satisfy most people. I'll describe them here for those who were also interested in the outcome.

安装在origanisation的DMZ认证服务

如果用户希望使用身份验证，他们将被要求安装一个代理在其DMZ和开放的443端口给它的导通premises Active Directory服务器。我们的服务将被配置为打这个服务来进行身份验证。

If users wish to utilise authentication with an on-premises active directory server they will be required to install an agent in their DMZ and open port 443 to it. Our service will be configured to hit this service to perform authentication.

此服务将坐在非军事区，并接收来自SaaS应用程序的身份验证请求。该服务将尝试绑定到Active Directory与这些凭据，并返回一个状态，指示成功或失败。

This service will sit in the DMZ and receive authentication requests from the SaaS application. The service will attempt to bind to active directory with these credentials and return a status to indicate success or failure.

在这种情况下，应用程序的形式的基于身份验证不会改变，并且用户将不知道幕后认证

In this instance the application's forms based authentication will not change, and the user will not be aware of the authentication behind the scenes.

的OpenID

类似于第一方法中，服务将被安装在客户端的DMZ和端口443将被打开。这将是一个OpenID提供商。

Similar to the first approach, a service will be installed in the client's DMZ, and port 443 will be opened. This will be an OpenId provider.

在SaaS应用程序将是一个OpenID的消费者（已经为Facebook，Twitter的，谷歌等登录）。

The SaaS application will be an OpenId consumer (already is for Facebook, Twitter, Google etc login).

当用户希望登录，OpenID提供商将是presented，要求他们输入自己的用户名和密码。该登录屏幕会从客户的DMZ送达。用户将不会进入他们的用户名和密码进入SaaS应用程序。

When a user wishes to log in, the OpenId provider will be presented, asking them to enter their user name and password. This login screen would be served from the client's DMZ. The user would never enter their username or password into the SaaS application.

在这种情况下，基于存在形式的认证被替换从在客户端的DNZ服务OpenID认证

In this instance, the existing forms based authentication is replaced with the OpenId authentication from the service in the client's DNZ.

这是我们正在调查第三个选项是活动目录联合服务，但这是专有到Active Directory。另外两个解决方案支持在互联网上的任何基于LDAP的认证。

A third option that we're investigating is Active Directory Federated Services, but this is proprietary to Active Directory. The other two solutions support any LDAP based authentication across the internet.

这篇关于SaaS的产品Active Directory身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！