14

我的要求是在 asp.net 中使用 SAML2.0 实现 SSO。我确实有 2 个供应商。想要将用户从一个站点传递到另一个站点而不登录第二个站点。我以前从未使用过 SAML2.0。任何人都可以帮助我如何完成它。

4

5 回答 5

29

First let's differentiate protocol with token format. I assume you are talking about the protocol and not the token format. But just in case here are the differences:

On the other hand you have a scenario in which there are multiple identity providers. The book that Wiktor suggested (which I co-authored) explains this scenario in more detail on the Federated Identity with Multiple Partners chapter. I recommend you to read it to get the concepts behind identity federation. Let me give you the short version of the article and some implementation details. There are two ways of solving this:

  • Implementing it at the application level. WIF will allow you to trust on more than one identity provider token (this is done with X509 certificates). Then you will have to generate sign in requests for each identity provider depending on a url (like https://idp1.yourapp.com or https://yourapp.com/idp1) or the user choosing (by having a home page with two links, one for each identity provdier). You will also have to normalize the claims coming from those identity provider (maybe one of them will send you a "name" claim and the other a "upn" claim).

    YourApp --> Identity Provider 1
        \-> Identity Provider 2

  • Using what is called a "federation provider". This is another server that will issue tokens to your application and it will have the trust relationships against your identity provider. Instead of having your application trust the two identity providers, you trust only on your federation provider and the fed provider will trust the identity providers. It's a trust chain.

    YourApp --> Federation Provider --> Identity Provider 1
                                \-> Identity Provider 2

This architecture allows you to:

  • grow your identity providers without touching your application
  • if you later have a second application you just copy your implementation of the first one
  • you get single sign on for free
  • you get a claim transformation engine (if you use something like ADFS)
  • if you use something like ADFS you get SAML 2 protocol built in (instead of having to implement it by hand with the extension mentioned below)

Of course the downside is that you now have something else to mantain (the ADFS server).

于 2012-05-29T14:29:50.003 回答
10

我们编写了一个非常简单的开源 C# 组件来与 ASP.NET 应用程序一起使用:https ://github.com/jitbit/AspNetSaml (包括代码示例)

它非常简短和基本,但这就是目标。无需添加庞大的第 3 方包,只需将一个简短的 C# 文件放入您的项目中,您就可以使用 SAML。这个东西已经为我们工作了很多年,甚至在 .NET 3.x 上

[免责声明] 我是贡献者之一。

PS。非常欢迎分叉和贡献。

于 2016-11-29T19:21:21.263 回答
6

我建议您使用 Windows Identity Foundation 子系统,它可以简化处理基于 SAML 的身份验证。

该主题相当广泛,因此您需要一本好的手册,幸运的是,有一本免费的 MS 手册:

http://msdn.microsoft.com/en-us/library/ff423674.aspx

简而言之:要在两台服务器之间传递身份,其中一个应该实现身份提供者服务(安全令牌服务),第二个必须接受由第一个创建和签名的 SAML 令牌。

于 2012-05-29T07:59:31.940 回答
4

我会推荐使用 ComponentSpace。它们提供了适用于 SAML 2.0 令牌和 SAML 2.0 协议的所有用例的库。WIF 目前不支持 SAML 2.0 协议和令牌格式,但 CTP 除外。

于 2012-06-01T02:05:35.170 回答
0

您可以为您的 asp.net 站点试用miniOrange 的 SAML SSO 模块。它实际上是一个 httpmodule,可以添加 SSO 作为 ASP.NET 站点的登录方法,这里的主要内容是它是一个非常简单的设置。该模块本身为 SSO 配置提供了一个管理控制台。它有助于保护我网站的私人页面不被公众访问,并只允许存储在他的广告中的我的客户用户访问。我认为这可能是最适合你的。干杯!!

于 2020-12-23T12:55:58.813 回答