我有一个使用Forms身份验证的现有MVC5应用程序.我有一半的用户是Azure AD中也存在的内部员工.我想给他们选择针对AD进行身份验证的选项,但我不希望另一半通过AD.我所见过的所有使用Azure AD身份验证的示例似乎都是全有或全无.
I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.
我是否只能在登录表单中添加一个按钮,以便AD用户转到Azure登录并使用令牌重定向回去?我的另一个选择是,如果他们是Azure用户,请从我的登录表单中获取他们的电子邮件/密码,然后尝试使用它连接到AD.这似乎是一种风险,因为我将接触他们的实际网络凭据.
Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.
推荐答案我还没有完成它,但是我已经做得足够多了,这对我来说就像是解决方案.我将添加一个指向Azure AD用户的登录页面的链接,该链接指向此处定义的AD OpenID URL:
I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:
azure .microsoft/en-us/documentation/articles/active-directory-protocols-openid-connect-code/
我得到的id_token在解压后可以识别用户,如下所示:
The id_token that I get back identifies the user after it's unpacked as detailed here:
azure .microsoft/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens
更多推荐
混合使用Azure AD身份验证和Forms身份验证
发布评论