问题
I have the following services
- Service1.SomeDomain.com
- Service2.SomeDomain.com
- Service3.SomeDomain.com
I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information
Web.SomeDomain.com
I also have Native Mobile client applications which also will talk directly to each of the above services
- Android
- IOS
- Windows/Windows Phone
Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.
Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant
回答1:
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms. The following should see you through:
- Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
- AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
- Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.
Enjoy. Hope this helps.
来源:https://stackoverflow.com/questions/23522194/multiple-tenant-multiple-platform-multiple-services-single-sign-on-using-azure