1

I have been working in a solution to integrate a multi-tenant api backend system with multiple B2C directory, the idea is that each tenant own and manage their own directory, so our api backend system will need to be added to each tenant b2C directory.

I was thinking in extending the owin openID middleware as described here.

Active Directory B2C and OpenIdConnectAuthenticationMiddleware - Multitenant systems

Another alternative is to setup our own B2C directory to integrated our tenant's B2C directory.

Is this possible?

4

1 回答 1

2

在 Azure Active Directory 的上下文中,OWIN OpenIDConnect 中间件引用的客户端 ID 用于标识应用程序本身,而与租户无关。

对于多租户支持,如果您进入应用程序的“配置”部分,在用于应用程序开发的 AD 下,您应该注意到标记为“应用程序是多租户”的选项,如屏幕截图所示。多租户选项

确保启用多租户支持。启用多租户支持还有其他要求,在尝试启用该选项时会很明显。

此选项将允许其他租户的 AAD 同意使用您的应用程序。实际上,一旦租户的 AAD 全局管理员同意,这实际上会将您在 AAD 中注册的应用程序的引用添加到他们的 AAD,从而允许他们根据需要控制访问,而无需您进行任何更改。

说到代码,您必须更改 OWIN 中间件以禁用颁发者的自动验证,并实施您自己的机制来验证颁发者(例如在租户初始注册时存储所有这些信息,并根据最初的租户登录检查所有未来的租户登录)存储的信息)。如下:

            app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ClientId,
                Authority = Authority,
                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                {
                    // instead of using the default validation (validating against a single issuer value, as we do in line of business apps), 
                    // we inject our own multitenant validation logic
                    ValidateIssuer = false,
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    // we use this notification for injecting our custom logic
                    SecurityTokenValidated = (context) =>
                    {
                        // retriever caller data from the incoming principal
                        string issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;
                        string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
                        string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;

                        if (
                            // the caller comes from an admin-consented, recorded issuer
                            (db.Tenants.FirstOrDefault(a => ((a.IssValue == issuer) && (a.AdminConsented))) == null)
                            // the caller is recorded in the db of users who went through the individual onboardoing
                            && (db.Users.FirstOrDefault(b =>((b.UPN == UPN) && (b.TenantID == tenantID))) == null)
                            )
                            // the caller was neither from a trusted issuer or a registered user - throw to block the authentication flow
                            throw new SecurityTokenValidationException();                            
                        return Task.FromResult(0);
                    }
                }
            });

来源:https ://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs

禁用颁发者验证的原因是由于 AAD 的多租户应用程序中使用了通用网关,因此颁发者会根据正在验证的租户进行更改。事先必须有一些合适的发行人进行比较。

于 2016-04-19T19:51:20.870 回答