问题描述

我们有几个使用我们的Web应用程序（而不是Intranet）的客户，一些客户希望他们的登录名应与他们的组织Active Directory集成在一起。
他们只希望该用户登录他们的Windows帐户并可以访问Web应用程序而无需输入任何用户凭据。

We have several customer using our web application (not intranet), some customers want their login should be integrated with their organizations Active Directory.They just want that user should login to their windows account and can access the web application without entering any user credentials.

我已经阅读了一些有关ADFS的文章，但仍然不确定如何整合或实施。
任何建议的解决方案吗？

I have read some articles regarding ADFS, but still not sure how to integrate that or implement it.Any proposed solution ?

谢谢！

推荐答案

如果您开发基于.NET的应用程序，则Microsoft将提供一个名为，用于以一种+舒适的方式与AD FS进行通信（配置+进行少量代码修改即可从AD FS提供的身份验证消息中获取声明）。

If you develop a .NET based application, Microsoft provides a library called WIF, which is used to communicate with the AD FS in a +- comfortable way (configuration + little code adaptations to get the claims from the authentication message provided by the AD FS).

为了使SSO正常工作，AD FS 2.0和WIF都支持很少的协议，最常见的协议是（afaik）和WS-Federation。两者都是基于XML消息构建的，但是如果您使用WIF，则不需要知道详细信息。

There are few protocols that both AD FS 2.0 and WIF support, to make the SSO work, the most common ones are (afaik) SAML 2.0 and WS-Federation. Both are built on XML messages, but you are not required to know the details, if you use WIF.

对于WS-Federation，WIF库提供了Visual插件Studio，它允许您使用AD FS将站点配置为依赖方。

For WS - Federation, the WIF library provides a plugin for Visual Studio, which allows you to configure your site as the relying party with your AD FS.

您可以使用数据库中的凭据来识别用户，实际上您可以 AD FS的整个登录页面和身份验证事件。但是，基本安装要求在Active Directory中定义每个用户。您还可以将数据库用作声明存储（另一个数据库AD FS将使用该数据库向依赖的应用程序提供有关用户的信息）。请注意，如果您打算在AD FS后面使用AD，则您的AD FS服务必须能够访问它并通过LDAP查询它，如果您的用户登录到其本地域，则用户不确定该服务是否对您有用。

You CAN use the credentials within your DB to identify users, you can actually customize AD FS's entire login page and authentication events. However the basic installation requires each user to be defined within your Active Directory. You can also use your DB as a claims store (another data base AD FS will use to provide the relying applications with information about users). Note that if you intend to use an AD behind the AD FS, your AD FS service must be able to access it and LDAP query it, which I'm not sure will work for you, if your users login to their local domain that the AD FS is not familiar with.

如果您不需要支持行业SSO标准协议（我已经提到过SAML 2.0），我不确定实现AD FS是否会是一个很好的解决方案。它迫使您以某种方式工作，而这并不总是那么舒适。

IF you are not required to support industry SSO standard protocols (SAML 2.0 I've mentioned), I'm not sure implementing AD FS will be such a good solution. It forces you to work in a certain way, which is not always that comfortable.

这篇关于与Active Directory集成的.NET应用程序的单点登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！