设置STS,但保持在formsauthentication Web应用程序 [英] Set up STS but keep formsauthentication in webapp
问题描述
我能够在现有的Web应用程序的Windows标识基础。
我要一塌糊涂少与现有的代码possile所以我想登录它使用formsauthentication页留在应用程序中,如果用户输入经由特定页面例如im_comming_from_some_other_site.aspx应用程序I只是在STS连接。
在im_comming_from_some_other_site.aspx代码会是这样:
的Page_Load(...)
{
如果(verifyAgainstSTS()
{
FormsAuthentication.SetAuthCookie(小于some_STS_Userid),...)
响应。重定向(Default.aspx的)
}
,否则
{
的Response.Redirect(HTTP://< STS_server_name /< STS_service ...等>中)
}
}
有没有人谁知道,如果这可以被完成,怎么样?
(当然,将需要的任何环节为示例代码(如果可用)对此深表赞赏。
部分代码时确定何时认证超时怎么办。要么去当地的登录页面或转到STS-登录页面)
我知道这似乎是一个不好的设计,不会全部用STS的方式,但我需要实现这个ASAP和我想保持原来的站点不变越好。
这是不是一个糟糕的设计,这是你的要求,您尝试完成它。我们已经建立的工作类似的系统,它是不是火箭科学。唯一的区别是,我们切换到表格/ SAM静态(通过全局设置),而不是动态的。
总之,你把你的窗体身份验证在的web.config ,这样,当有当前用户没有授权,形式请求重定向到登录页面。
在登录页面你有两种选择。一个创建形式使用网站莫名其妙。
其他选项涉及WIF的 FederatedPassiveSignIn 控制。
如果用户打开窗体身份验证,设置cookie和你做。
如果用户遵循STS登录控制,迟早他/她会回来与有效的SAML令牌。在 FederatedPassiveSignIn 将自动把它捡起来,你只处理在 SignedIn 事件重定向。
您甚至不需要在如果你在你的问题提了。
有一个从我记得一个警告。当用户通过STS认证,创建了WS联合饼干,你可以阅读索赔等一切正常。
但是,如果用户是通过身份验证的形式,在SAM(SessionAuthenticationModule)将通过在每次请求(我想这是因为SAM是后来形成认证模块管道)ASP.NET管道WS联合饼干更换形式的cookie。
这不会弄脏你的 context.User.Identity.IsInRole(...)还授权工作正常,因为SAM将用户角色复制到相应的索赔
不过,如果在你的代码中的任何地方,你尝试直接从形式的cookie(而不是使用一般的API)中提取信息,你可以找出表格即使用户被排在首位的形式认证(以及Cookie不存在,因为它会通过WS联合饼干代替)cookie是不存在的。
I'm enabling an windows identity foundation on an existing webapp.
I want to mess as little as possile with the existing code so I would like to the login page which uses formsauthentication left in the application and I just connect with the STS if the user enters the application via a specific page e.g "im_comming_from_some_other_site.aspx".
in the "im_comming_from_some_other_site.aspx" the code would be like:
Page_Load(...)
{
if(verifyAgainstSTS()
{
FormsAuthentication.SetAuthCookie(<some_STS_Userid), ...)
Response.Redirect("default.aspx")
}
else
{
Response.Redirect("http://<STS_server_name/<STS_service...etc>")
}
}
Is there someone who knows if this may be done and how? Any links to example code (if available) deeply appreciated.
(Of course some code would be needed when to determine what to do when the authentication is timed out; either go to local login page or goto STS-login page)
I know this may seem like a bad design, not going all the way with STS, but I need to implement this ASAP and I want to keep the original site as untouched as possible.
It is not a bad design, it's your requirement and you try to fulfill it. We have working system built like that and it's not a rocket science. The only difference is that we switch it to forms/sam statically (via global settings), not dynamically.
Anyway, you keep your forms authentication in web.config so that when there's no authorization for current user, forms redirects the request to the login page.
In the login page you have two options. One creates the forms cookie somehow.
The other option involves WIF's FederatedPassiveSignIn control.
If a user follows forms authentication, the cookie is set and you are done.
If a user follows the STS login control, sooner or later he/she will come back with valid SAML token. The FederatedPassiveSignIn will pick it up automatically and you just handle the redirect in the SignedIn event.
You will even not need the if you mention in your question.
There's one caveat from what I remember. When a user is authenticated by STS, the WS-Federation cookie is created, you can read claims etc. Everything works.
However, if a user is authenticated by forms, the SAM (SessionAuthenticationModule) will REPLACE forms cookie by the WS-Federation cookie in ASP.NET pipeline upon EACH request (I guess it's because the SAM is later in the pipeline that forms authentication module).
This will NOT blow up your context.User.Identity.IsInRole(...) also authorization works correctly because SAM will copy user roles to corresponding claims.
However, if at any place in your code you try to extract information directly from the forms cookie (instead of using general APIs), you could find out that the forms cookie is not present even if the user was authenticated by forms in first place (and the cookie is not present because it will be replaced by the WS-Federation cookie).
这篇关于设置STS,但保持在formsauthentication Web应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
