真的有人在使用 Active Directory 联合身份验证服务吗?这是一项值得投资的技术吗?
更一般地说,谁在 Windows 平台上成功使用了 WIF/ADFS/SSO,它是否值得实施,以及它将成为持久技术的可能性有多大?
从表面上看,通过阅读一些白皮书 (PDF), 文章和书籍 ,这似乎是一个完美的解决方案 - 特别是对于拥有内部网站的公司来说,该网站也向外部用户和合作伙伴(或计划在未来)公开一定程度的功能。但这听起来几乎太完美。我掌握的大部分信息都来自微软本身。
我想我的具体问题是:
- 这是一项持久的技术并且值得投资(特别是对于规模较小(<50 人)的公司)?
- 有没有大公司正在积极使用它?
- 如果我们希望其他人为他们的公司提供作为可信发行人的身份验证,那么合作伙伴愿意设置 STS 的可能性有多大?这里会有很多阻力吗?
- 这最终会成为一场配置噩梦吗?
- 在决定是否实施这一点时,是否还有其他需要注意的陷阱?
More generally, who is successfully using WIF/ADFS/SSO on the Windows platform, and is it worth implementing, and what is the likeliness it will be a lasting technology?
On the surface, from reading a few whitepapers (PDF), articles and books on the subject, this seems like the perfect solution -- especially for a company that has an internal web site that exposes some level of functionality to external users and partners as well (or plans to in the future). But it sounds almost too perfect. And most of the information I have comes from Microsoft themselves.
I guess my specific questions are:
- Is this a lasting technology and worth investing in (and specifically for a smaller sized (<50 ppl) company)?
- Are there any major companies out there that are actively using this?
- How likely is it that a partner would be willing to setup an STS if we wanted someone else to provide authentication for their company as a trusted issuer? Is there going to be a lot of push-back here?
- Is this going to end up being a configuration nightmare?
- Are there any other pitfalls to look out for when deciding whether to implement this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
随着越来越多的应用程序迁移到云和在线服务,您将看到 ADFS 和其他联合身份技术的使用量增加。由于拥有成本较低,投资 Active Directory 的组织可能会转向此解决方案。
这是一项持久的技术并且值得投资(特别是对于规模较小(<50 人)的公司)?
有没有大公司正在积极使用它?
如果我们希望其他人为他们的公司提供作为可信发行人的身份验证,那么合作伙伴愿意设置 STS 的可能性有多大?这里会有很多阻力吗?
这最终会成为一场配置噩梦吗?
在决定是否实施这一点时,是否还有其他需要注意的陷阱?
As more applications are moved to the cloud and to online services you will see ADFS and other federated identity technologies increase in usage. Organizations with investments in Active Directory will likely move to this solution due the low cost of ownership.
Is this a lasting technology and worth investing in (and specifically for a smaller sized (<50 ppl) company)?
Are there any major companies out there that are actively using this?
How likely is it that a partner would be willing to setup an STS if we wanted someone else to provide authentication for their company as a trusted issuer? Is there going to be a lot of push-back here?
Is this going to end up being a configuration nightmare?
Are there any other pitfalls to look out for when deciding whether to implement this?
根据我的经验:
与 WIF 结合,ADFS 提供:
针对 ASP.NET 应用程序的标准“外包”身份验证/授权。一旦应用程序具有声明感知能力,您就可以在 ADFS/ACS 端进行更改,并且应用程序不会更改。
提供具有非 .NET 解决方案的联合设施,例如 OpenSSO 和 Tivoli。
允许(通过 ACS)使用现有登录名,例如 Facebook / Google。
为应用程序迁移到云 (Azure) 提供了潜力。
Sharepoint 2010 的标准声明感知功能。
我见过的实现主要针对试图实施某种整体 I&AM 的大型公司。当公司同时拥有 .Net 和 Java 应用程序时,它尤其有用。
同样在新西兰,我们有一个 igovt 登录名,它为所有政府部门提供一个登录名,这可能是“使用现有登录名”的候选者,而不是创建公司特定的登录名。 igovt 可以与 ADFS 联合。
根据我的经验,主要的缺陷是它不适用于经典 ASP。它必须是 ASP.NET。
回答您的其他问题:
希望允许外部访问其应用程序的大型公司宁愿实施 STS,也不愿在其身份存储库中配置外部用户。
配置并不简单,但肯定不会成为一场噩梦。
From my experience:
In conjunction with WIF, ADFS offers:
Standard "outsourced" authentication / authorisation for ASP.NET applications. Once the applications are claims aware, you can make changes on the ADFS / ACS side and the application doesn't change.
Provides federation facilities with non .NET solutions e.g. OpenSSO and Tivoli.
Allows (via ACS) use of existing logins e.g. Facebook / Google.
Provides potential for applications to migrate to the cloud (Azure).
Standard claims-aware functionality for Sharepoint 2010.
The implementations I've seen are mainly for larger companies trying to put some kind of overall I&AM in place. It's especially useful when companies have both .Net and Java applications in place.
Also in NZ, we have an igovt login which provides one login to all governments departments and this is a possible candidate for "use an existing login" rather than creating a company specific one. igovt can federate with ADFS.
Main pitfall in my experience is that it doesn't work for classic ASP. It has to be ASP.NET.
To answer your other questions:
Larger companies who want to allow external access to their applications would far rather implement an STS than provision external users in their identity repository.
Configuration is not trivial but certainly doesn't become a nightmare.