如何在 ASP.NET SaaS 应用程序中对来自另一个域的用户进行身份验证?
我们有一个作为服务提供的 ASP.NET Web 应用程序(它是托管的并且可以在 Web 上访问)。我们使用表单身份验证,我们的用户必须输入用户名/密码才能连接到我们的应用程序。我们的一些客户要求我们通过使用用户自己的 Active Directory 对用户进行身份验证来支持单点登录。
我们的应用程序对每个客户都有不同的 URL
www.ourapp.com/client1/
www.ourapp.com/client2/
www.ourapp.com/client3/
,并且每个 URL 都有自己的 web.config 文件(其中可以指定 asp.net 设置,并且每个客户的设置可能有所不同)。
- 我必须在 ASP.NET 应用程序中更改哪些内容才能支持该功能?
- 我必须对 Windows 服务器配置进行哪些更改?
- 客户需要做什么才能实现这一点?
问候,
We have an ASP.NET web application that we offer as a Service (it's hosted and it's accessible on the Web). We use Forms Authentication and our users have to enter a username/password to connect to our application. Some of our customers ask that we support single sign-on by authenticating users with their own Active Directory.
Our application has a different URL for each customer
www.ourapp.com/client1/
www.ourapp.com/client2/
www.ourapp.com/client3/
and each URL has its own web.config file (where asp.net settings can be specified and can vary for each customer).
- What do I have to change in my ASP.NET application to support that?
- What do I have to change on my Windows server configuration?
- What will the customer have to do on his side to enable that?
Regards,
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
检查如何:在 ASP.NET 2.0 中通过 Active Directory 使用表单身份验证简而言之,您配置 ActiveDirectoryMembershipProvider 来使用客户的 AD 验证每个用户名/密码。客户必须为您创建一个允许执行验证的 AD 帐户 - 这对于某些客户来说可能是个问题。此外,您的代码将处理用户在其内部网络中使用的实际用户名/密码,这对客户来说可能是一个更大的问题。
更安全的解决方案是使用联合(使用 ADFS) 或使用 Windows Identity Foundation 进行声明身份验证。在这种情况下,您“只需”在您的域和他们的域之间设置信任关系。
Check How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 In short, you configure an ActiveDirectoryMembershipProvider to verify each username/password with the customer's AD. The customer must create an AD account for you that is allowed to perform the verification - which may be a problem with some customers. What's more, your code will handle the actual username/password used by users in their internal network, which can be an even bigger problem with customers.
A more secure solution is to use federation (using ADFS) or Claims Authentication using Windows Identity Foundation. In this case you "only" have to set trust relations between your domain and theirs.