问题
I have setup a basic IdentityServer that is up and running. I'm using Identity Manager and Identity Admin to keep everything (user, roles, claims, clients, scopes) in a database. Next step is to integrate authentication with AD. My requirements are:
- User will be authenticated against AD
- User permissions (claims/roles) will be stored in database (as they are now)
- Depending on the client application, I have three different scenarios:
- In some cases, the identity of the current user should be used (I guess for this to work, Identity Server should run with Windows Authentication). User should not be prompted for anything.
- In some cases, the user has to explicitly login. He can use the current login or
- Manually enter an username and password that will be validated against AD.
I'm looking for some pointers/direction how to proceed. Should I handle completely the login sequence myself, is there something similar I can base my solution, etc.
Any help is appreciated.
回答1:
After some digging around:
This example in idsrv shows how to run windows authn in a separate web app and how to use ws-fed to delegate to that web app. This is also explained in this issue.
This blog post by scott brady shows how to configure adfs to allow idsrv as a relying party and how to delegate to adfs with ws-fed to allow username/password login on adfs
If you use both these ws-fed delegations, make sure to use different values for authenticationtype.
What you could do is to force the user to try winauth first, by adding acr_values and idp to your first redirect and setting idp to the name of the winauth external idp. See the idsrv docs here
If that fails, you could use this technique to detect the failure to login from the external winauth provider and redirect to the adfs provider automatically.
If for some reason you do reach the login page, you can disable local login (not show the username/password input fields) and the external providers (winauth and adfs) will by default just show up as buttons.
edit:
yes, you would add an additional web app next to idsrv, that avoids having to run idsrv with windows integrated authentication
the flow for the user with winauth would be
client app -> IdSrv (login page) -> WinAuthHost -> IdSrv (auth endpoint)-> client app
actually, if successfull, the user would most likely only see the client app and one screen in the WinauthHost and never see Idsrv
If the user is not logged into windows (or not the correct domain), then the flow would be like this
client app -> IdSrv (login page) -> WinAuthHost -> IdSrv login (auth endpoint, fails)
-> ADFS -> IdSrv login (auth endpoint) -> client app
来源:https://stackoverflow.com/questions/44140157/identityserver-ad-for-authentication-and-the-rest-in-db