AWS ALB支持与开放ID连接(OIDC)提供商的集成,例如Azure AD( https://docs.aws.aws.amazon.com/elasticallostalbalcing/latest/application/listener-authenticate-users.html#oidc-requirements )。 AWS Cognito()
Azure AD支持单个租户以及多租户身份应用程序。多租户应用程序允许对多个租户的Azure ID进行身份验证。对于单租户应用程序,OIDC Integration Shard Code所需的终点是路径中的Azure租户ID。但是,对于多租户应用程序,Azure AD提供了一个“/common”别名,而不是枚举的房客ID。 ( https://learn.microsoft.com/en-us/azure/active-directory/directory/develop/howto/howto-convert-convert-convert-conpert-app-con-con-beb-be-be-be-be-be-multi-tenant #update-your-code-to-send-requests-to-common )
但是,在Azure多四容企业的情况下,令牌发行人确实包括身份验证的用户的实际房客ID。 跳出AWS OIDC集成。
是这一步骤可以 结果,只能提供一个发行人的URL,然后可以参考恰好一个Azure AD租户的房客ID。这仅限于Azure的一位租户,而将其限制为预期的多租户支持。尽管下面的示例是针对ALB的,但在此处提出了类似的担忧: https://www.thelambdablog.com/azure-ad-multi-tenancy-issue-issue-in-aws-cognito
目前,我们必须将身份验证移至目标应用程序本身,但目标是卸载这是对Alb。
疑问
- AWS中的任何工作,都可以使我们指定超过1个发行人的URL(为每个Azure AD租户设置多个ALB规则一号将不会扩展)。来自UI或通过CLI?
- Azure AD中的任何工作都将对多租户应用程序使用可预测的发行人URL,然后在AWS中配置
- 任何其他建议?
AWS ALB supports integration with an Open ID Connect (OIDC) providers such as Azure AD (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#oidc-requirements ). Same for AWS Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html )
Azure AD supports single tenant as well as multi-tenant Identity apps. Multi-tenant apps permit authentication of Azure IDs across multiple tenants. For single-tenant apps, the end points needed for OIDC integration hardcode the Azure Tenant ID in the path. However for multi-tenant apps, Azure AD provides a "/common" alias instead of an enumerated tenant ID. (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-your-code-to-send-requests-to-common)
However the token issuer in the case of Azure multi-tenant apps does include the actual tenant ID of the authenticated user. It is this step that trips up AWS OIDC integration.
For example, the Issuer field in the ALB configuration for OIDC auth does not permit regex or wildcards. As a result only one Issuer URL can be provided which can then reference the tenant ID of exactly one Azure AD tenant. This limits the auth to one tenant of Azure only, vs. the expected multi-tenant support. Although the example below is for ALB, similar concerns raised about Cognito here: https://www.thelambdablog.com/azure-ad-multi-tenancy-issue-in-aws-cognito
Currently we have to move the authentication into our target application itself but the goal is to offload this to the ALB.
Questions
- Any work around in AWS that will allow us to specify more than 1 issuer URL (Setting up multiple ALB rules one for each Azure AD tenant would not scale). Either from the UI or via CLI?
- Any work arounds in Azure AD that will use a predictable issuer URL for multi-tenant apps which would then be configured in AWS
- Any other suggestions?
发布评论