且构网

分享程序员开发的那些事...
且构网 - 分享程序员编程开发的那些事

配置WIF与窗体身份验证AD FS

更新时间:2023-02-16 16:57:00


  1. 我张贴在$ p $答案的片段pvious问题应该更多的还是在.NET 3.5的工作少(一些API已经改变,但并不多,所以你不能看着办吧)


  2. 虽然这是可能的,我想这是一个坏主意。这是因为,ADFS可以被配置为使用认证比用户名/密码的一些其它装置。例如,它们可以使Windows集成身份验证。或者也可以委托认证到使用涉及短信双因素身份验证其他供应商。这一切都意味着更可靠的跟随在被动 WS-喂养,你的应用程序重定向到提供商的登录页面,而不是将通过您的应用程序提供者收集的用户名/密码。


  3. 在剪断SAML验证与 ClaimsIdentity 的再presents从令牌的主要结束。这就是你刚才列举索赔和搜索你想要的:

      VAR身份= ..验证SAML令牌..的foreach(VAR索赔identity.Claims)
      如果(claim.Type ==员工号声明类型)
        使用主张设立本地窗体身份验证会话


We have an ASP.NET Web Forms(.Net 3.5) website application uses forms authentication. The application has got different customized authentication services which uses different SSO methods(eg. CAS) to validate user, those were implemented for different clients. Now the requirement is to implement an AD FS based authentication service with out making core changes to the Forms Authentication configurations.

My questions:

  1. How to configure SAM in .Net 3.5 website
  2. Instead of redirecting to STS, is it possible to pass user name and password from my login page to AD FS proxy and get saml response?
  3. My intention is to read a custom attribute value(eg. Employ number) from the saml response and proceed with the current authentication module. Is it possible?

This question is based on a discussion in AD FS and forms Authentication, any help will be greatly appreciated.

  1. The snippet I posted as an answer in the previous question should more or less work under .net 3.5 (some apis have changed but not that much so you couldn't figure it out)

  2. Although this is possible, I guess this is a bad idea. This is because ADFS could be configured to use some other means of authentication than username/password. For example, they could enable windows integrated authentication. Or they could delegate the authentication to another provider that uses two-factor auth involving text messages. All this means it is more reliable to follow the passive ws-fed, where your app redirects to the login page of the provider rather than passing the username/password collected by your app to the provider.

  3. The SAML validation in the snipped ends up with the ClaimsIdentity that represents the principal from the token. This is where you just enumerate claims and search for the one you want:

    var identity = .. Validate saml token ..
    
    foreach ( var claim in identity.Claims )
      if ( claim.Type == employee number claim type )
        Use the claim to establish a local forms auth session