真的有人在使用 Active Directory 联合身份验证服务吗?这是一项值得投资的技术吗?

发布于 2024-10-28 03:09:17 字数 1060 浏览 6 评论 0原文

更一般地说,谁在 Windows 平台上成功使用了 WIF/ADFS/SSO,它是否值得实施,以及它将成为持久技术的可能性有多大?

从表面上看,通过阅读一些白皮书 (PDF), 文章书籍 ,这似乎是一个完美的解决方案 - 特别是对于拥有内部网站的公司来说,该网站也向外部用户和合作伙伴(或计划在未来)公开一定程度的功能。但这听起来几乎完美。我掌握的大部分信息都来自微软本身。

我想我的具体问题是:

  • 这是一项持久的技术并且值得投资(特别是对于规模较小(<50 人)的公司)?
  • 有没有大公司正在积极使用它?
  • 如果我们希望其他人为他们的公司提供作为可信发行人的身份验证,那么合作伙伴愿意设置 STS 的可能性有多大?这里会有很多阻力吗?
  • 这最终会成为一场配置噩梦吗?
  • 在决定是否实施这一点时,是否还有其他需要注意的陷阱?

More generally, who is successfully using WIF/ADFS/SSO on the Windows platform, and is it worth implementing, and what is the likeliness it will be a lasting technology?

On the surface, from reading a few whitepapers (PDF), articles and books on the subject, this seems like the perfect solution -- especially for a company that has an internal web site that exposes some level of functionality to external users and partners as well (or plans to in the future). But it sounds almost too perfect. And most of the information I have comes from Microsoft themselves.

I guess my specific questions are:

  • Is this a lasting technology and worth investing in (and specifically for a smaller sized (<50 ppl) company)?
  • Are there any major companies out there that are actively using this?
  • How likely is it that a partner would be willing to setup an STS if we wanted someone else to provide authentication for their company as a trusted issuer? Is there going to be a lot of push-back here?
  • Is this going to end up being a configuration nightmare?
  • Are there any other pitfalls to look out for when deciding whether to implement this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

我不吻晚风 2024-11-04 03:09:18

随着越来越多的应用程序迁移到云和在线服务,您将看到 ADFS 和其他联合身份技术的使用量增加。由于拥有成本较低,投资 Active Directory 的组织可能会转向此解决方案。

这是一项持久的技术并且值得投资(特别是对于规模较小(<50 人)的公司)?

  • 如果您计划向其他公司提供托管服务或计划自己利用这些服务,ADFS 可以提供一种相当轻松的方式来利用您当前的安全基础设施。
  • 如果实施得当,用其他产品替换联邦产品应该相当简单。

有没有大公司正在积极使用它?

  • 我只熟悉我工作过的一个政府组织,但我确信还有其他组织。联合身份的性质使得很难从外部识别谁。

如果我们希望其他人为他们的公司提供作为可信发行人的身份验证,那么合作伙伴愿意设置 STS 的可能性有多大?这里会有很多阻力吗?
这最终会成为一场配置噩梦吗?

  • 配置是ADFS最困难的部分。但是,一旦建立了信任关系并创建了策略,配置就不再需要担心了。
  • 其他公司要么拥有支持 ADFS 的基础设施,要么没有。即使 .NET 应用程序也需要更改配置才能支持 ADFS,并且更有可能需要更改代码才能完全支持联合身份模型。如果您的合作伙伴做到了这一点,他们很可能会很乐意信任您的 STS。
  • 询问您的合作伙伴已有哪些基础设施,他们今天可能已经拥有或正在规划基础设施。

在决定是否实施这一点时,是否还有其他需要注意的陷阱?

  • 我遇到的最困难的问题是改变应用程序开发人员的做法。
  • 应用程序要么需要围绕联邦进行设计,要么需要用它进行改造。
  • 如果不注销所有 ADFS 应用程序,则无法注销 ADFS 应用程序。
  • 当联合会话过期时,您必须将用户发送回联合服务以获取新票证。如果处理不当,可能会导致发布数据丢失。

As more applications are moved to the cloud and to online services you will see ADFS and other federated identity technologies increase in usage. Organizations with investments in Active Directory will likely move to this solution due the low cost of ownership.

Is this a lasting technology and worth investing in (and specifically for a smaller sized (<50 ppl) company)?

  • If you plan on either providing hosted services to other companies or plan on taking advantage of them yourselves ADFS provides a fairly painless way to take advantage of your current security infrastructure.
  • If properly implemented it should be fairly simple to replace on federation product with another.

Are there any major companies out there that are actively using this?

  • I'm only familiar with a government organization I've worked on, but I'm sure there are others. The nature of federated identity make if difficult to externally identify who.

How likely is it that a partner would be willing to setup an STS if we wanted someone else to provide authentication for their company as a trusted issuer? Is there going to be a lot of push-back here?
Is this going to end up being a configuration nightmare?

  • Configuration is the most difficult part of ADFS. However, once you have the trust relationships built and policies created configuration will be hands off.
  • Other companies will either have the infrastructure in place to support ADFS or won't. Even .NET applications require configuration changes to support ADFS and more likely will require code changes to fully support the federated identity model. If your partners have this in place it is likely they'll happily trust your STS.
  • Ask your what your partners have in place, they may already have or be planning infrastructure today.

Are there any other pitfalls to look out for when deciding whether to implement this?

  • The most difficult problem I ran into was changing application developer practices.
  • Applications need to either be designed around Federation or will need to be retrofitted with it.
  • You can't logout of an ADFS application without logging out of all ADFS applications.
  • When a federated session expires you must send a user back to the federation service for a new ticket. This could cause loss of post data if not handled properly.
陌生 2024-11-04 03:09:18

根据我的经验:

与 WIF 结合,ADFS 提供:

  • 针对 ASP.NET 应用程序的标准“外包”身份验证/授权。一旦应用程序具有声明感知能力,您就可以在 ADFS/ACS 端进行更改,并且应用程序不会更改。

  • 提供具有非 .NET 解决方案的联合设施,例如 OpenSSO 和 Tivoli。

  • 允许(通过 ACS)使用现有登录名,例如 Facebook / Google。

  • 为应用程序迁移到云 (Azure) 提供了潜力。

  • Sharepoint 2010 的标准声明感知功能。

我见过的实现主要针对试图实施某种整体 I&AM 的大型公司。当公司同时拥有 .Net 和 Java 应用程序时,它尤其有用。

同样在新西兰,我们有一个 igovt 登录名,它为所有政府部门提供一个登录名,这可能是“使用现有登录名”的候选者,而不是创建公司特定的登录名。 igovt 可以与 ADFS 联合。

根据我的经验,主要的缺陷是它不适用于经典 ASP。它必须是 ASP.NET。

回答您的其他问题:

  • 希望允许外部访问其应用程序的大型公司宁愿实施 STS,也不愿在其身份存储库中配置外部用户。

  • 配置并不简单,但肯定不会成为一场噩梦。

From my experience:

In conjunction with WIF, ADFS offers:

  • Standard "outsourced" authentication / authorisation for ASP.NET applications. Once the applications are claims aware, you can make changes on the ADFS / ACS side and the application doesn't change.

  • Provides federation facilities with non .NET solutions e.g. OpenSSO and Tivoli.

  • Allows (via ACS) use of existing logins e.g. Facebook / Google.

  • Provides potential for applications to migrate to the cloud (Azure).

  • Standard claims-aware functionality for Sharepoint 2010.

The implementations I've seen are mainly for larger companies trying to put some kind of overall I&AM in place. It's especially useful when companies have both .Net and Java applications in place.

Also in NZ, we have an igovt login which provides one login to all governments departments and this is a possible candidate for "use an existing login" rather than creating a company specific one. igovt can federate with ADFS.

Main pitfall in my experience is that it doesn't work for classic ASP. It has to be ASP.NET.

To answer your other questions:

  • Larger companies who want to allow external access to their applications would far rather implement an STS than provision external users in their identity repository.

  • Configuration is not trivial but certainly doesn't become a nightmare.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文