Windows Identity Foundation - 第三方安全令牌服务器

发布于 2024-08-13 09:37:36 字数 137 浏览 15 评论 0原文

我正在尝试了解所有基于声明的 Windows 身份基础魔法。

假设我不想使用 ADFS,我不清楚的一件事是,最好使用 WIF 推出自己的 STS 来完成一些艰苦的工作,还是依赖第三方。

如果是第三方选项 - 有哪些第三方 STS

I'm trying to get my head around all the claims based windows identity foundation magic.

Assuming I don't want to use ADFS, one thing that isn't clear to me is whether its best to roll your own STS using WIF to do some of the hard work or to rely on a third party.

And if it is the third party option - what third party STS's are there

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

空城之時有危險 2024-08-20 09:37:36

Safewhere*Identify 是基于 WIF 构建的第三方 STS,但支持其他协议并且具有比ADSF2。

全面披露:我在 Safewhere 工作,积极参与产品的架构和开发。

Safewhere*Identify is a third-party STS built on WIF, but supporting additional protocols and with a more pluggable architecture than ADSF2.

Full Disclosure: I work for Safewhere and am heavily involved in both architecting and developing the product.

聆听风音 2024-08-20 09:37:36

您绝对不应该推出自己的 STS(如果可以避免的话)。创建适合开发人员演示的 STS 很简单,但世界级的企业级 STS 却并非易事。除了 ADFS 和 Safewhere 的 STS(Mark 提到的)之外,以下产品还包含 STS(或者他们说它们支持 WS-Trust,这意味着这一点):

  • Novell Access Manager
  • Ping Identity PingFederate
  • Symlabs Federated Identity Suite
  • OpenSSO
  • Vordel
  • Shibaleth
  • Redhat JBoss Identity (alpha)
  • Oracle Identity Federation(我不清楚这个产品是否支持 WS-Trust,但如果不支持我会感到惊讶。)

另外,Java 框架 Metro 就像 WCF + WIF。它拥有创建 STS 所需的一切,但您不应该这样做;但是,如果您评估这些产品并发现它们不能满足您的需求,那么推出自己的产品是您唯一的选择。

You should never roll your own STS (if you can avoid it). Creating an STS suited for a developer demo is trivial, but a world-class, enterprise caliber STS is no small undertaking. Besides ADFS and Safewhere's STS (which Mark mentioned), the following products include an STS (or they say they support WS-Trust which implies this):

  • Novell Access Manager
  • Ping Identity PingFederate
  • Symlabs Federated Identity Suite
  • OpenSSO
  • Vordel
  • Shibaleth
  • Redhat JBoss Identity (alpha)
  • Oracle Identity Federation (I'm unclear on whether or not this product support WS-Trust, but I would be surprised if it didn't.)

Also, the Java framework Metro is like WCF + WIF. It has everything you need to create an STS, which you shouldn't do; if, however, you evaluate those products and find that they won't satisfy your needs, rolling your own is your only option.

眼中杀气 2024-08-20 09:37:36

当然,这完全取决于您的身份验证信息在哪里。如果您没有使用 AD,而是使用其他东西,那么由该提供商提供 STS。

如果您想要的只是数据库驱动的东西,那么有一些数据库驱动的东西,这取决于您在自定义它时最满意的开发平台。

如果您使用 .NET,则可以使用 StarterSTS 作为起点(无双关语)。

It all depends where your authentication information is of course. If you aren't using AD, but are using something else then it's up to that provider to supply an STS.

If all you want is something database driven, well there are a few out there, and it depends on what development platform you're happiest with when you come to customise it.

If you're using .NET then you could use the StarterSTS as a starting point (no pun intended).

遮云壑 2024-08-20 09:37:36

Travis,

您列出的许多产品都是我在 IdM 领域所熟悉的。尤其是 Novell 和 Oracle……但其中大多数要么是整个堆栈,要么是套件的一部分。所有这些都需要身份存储和身份验证服务,对吧?

例如,要使用 Novell 或 Oracle 或 Ping,您仍然需要实现目录或其他一些用户存储,以某种方式对用户进行身份验证(例如,使用产品提供的服务的 IWA 或登录页面),然后联合该用户到基于 WIF 的 RP,对吗?

您如何建议将这些建议与自己动手的 ADFS 实施进行比较?

我问的原因是……

我们已经构建了基于声明的核心框架和产品集,使用 WIF 来消费这些声明。我们现在正在考虑将 ADFS 部署为 STS,并希望首先退一步考虑是否有办法加速真正的产品部署。到目前为止,我们一直在使用 starterSTS...

我们需要支持多种身份验证选项:1) 使用我们的内部 AD 为我们企业内的用户 IWA 进入 RP 2) 为我们客户的用户提供使用我们拥有的用户登录的方式和控制作为他们的 IDP(假设为他们提供一个新目录,与我们的内部 AD 分开),以及 3)外部 IDP,我们的客户在其中对用户进行身份验证并与我们联合。

选项 2 是我们需要一些身份验证服务的原因...因此,由于我们无法摆脱与外部 IDP 的 100% 联合 SSO,因此任何第三方选项都必须包含身份验证服务。

我简单地浏览了 safewhere 网站,没有看到任何有关与 WIF 一起使用的 STS 替代方案的可用细节。我看到一些联合产品和 WAM 产品...它们作为 STS 到底提供什么?

感谢您提供的任何意见。

Travis,

Many of the products you listed are familiar to me from the IdM space. Especially Novell and Oracle...but most of these are either an entire stack or parts of a suite. And all of them will require an identity store and authentication services, right?

For example, to use Novell or Oracle or Ping, you would still need to implement a directory or some other user store, authenticate the users somehow (IWA or login page using a service provided by the product, for instance) and then federate that user to the WIF based RP, right?

How would you suggest comparing these suggestions to an do-it-yourself ADFS implementation?

The reason I ask...

We have already build a core framework and product set based on claims, using WIF to consume those claims. We are now looking at deploying ADFS as an STS, and want to step back first and consider if there is a way to accelerate a real prod deployment. We have been using the starterSTS until now...

We need to support several options for authentication: 1) IWA into the RP using our internal AD for users within our enterprise 2) provide a way for our customer's users to login using users we own and control as their IDP (assuming a new directory for them, seperate from our internal AD), and 3) external IDPs where our customers authenticate the users and federate into us.

Option 2 is something we need some authentication service for...so since we can not get away with 100% federated SSO with external IDPs, any third party option must include authentication services.

I looked briefly at the the safewhere site and didn't see any usable details about an STS alternative working with WIF. I see some federation product(s) and a WAM product...what exactly do they offer as an STS?

Thanks for any input you might have.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文