我是否应该使用 IIS 作为可信代理来为旧应用程序提供 ActiveDirectory SSO?
我正在尝试向现有 SOAP 服务器添加 Active Directory 单点登录支持。由于它是使用第三方传输组件用 C++ 编写的,因此添加 AD SSO 似乎并不容易。
因此,我正在考虑要求 IIS 作为受信任的反向代理,并让它为 SOAP 服务器执行 Active Directory 身份验证。也就是说,将所有身份验证职责转移给 IIS,并仅依赖 SOAP 服务器上的 X-Remote-User HTTP 标头。由于 SOAP 客户端使用 WinInet API,因此所有身份验证都为我们完成,这为 SOAP 服务器提供了免费的单点登录。
client
-> IIS (Active Directory authentication)
-> SOAP server (with X-Remote-User: USERID header)
这看起来应该是一个相当常见的问题空间,但是尽管我发现了一些 IIS 代理程序,但我认为这可能是 IIS 内置的东西。
这种功能是内置于 IIS 中的还是我需要自己构建一个代理?
有比需要 IIS 更好的选择吗?
I'm trying to add Active Directory single-sign-on support to an existing SOAP server. Since it is written in C++ using third party transport components, adding AD SSO doesn't appear to be easy.
Therefore I am thinking to require IIS as a trusted reverse-proxy and let it do the Active Directory authentication for the SOAP server. That is, offload all authentication duties to IIS, and just rely on the X-Remote-User HTTP header at the SOAP server. Since the SOAP client is using the WinInet API, all of the authentication is done for us, and this give the SOAP server single-sign-on for free.
client
-> IIS (Active Directory authentication)
-> SOAP server (with X-Remote-User: USERID header)
This appears that it should be a fairly common problem space, however although I have found a few IIS proxy programs, I thought that this may be something built into IIS.
Is this sort of functionality built into IIS or do I need to build a proxy myself?
Is there a better option than requiring IIS?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论