我看到您正在使用 ACS 在您的应用程序中启用多个 IP。尽管 ACS 功能正在合并到 AAD 中,但这是很好的第一步。
在您的情况下,您需要从 ACS 下载所有 IP 的 json 提要,然后根据包含子域名的请求标头中的信息对其进行过滤。
这里的 Mu 博客文章将带您一路走到这一步,然后您需要自己完成剩下的路。
http://magnusmartensson.com/mvc-application-using-owin-to-achieve-federated-authentication
典型的 ACS json 提要地址如下所示:
https://{mytenant}.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2flocalhost%3a7664%2f&reply_to=http%3a%2f%2flocalhost %3a7664%2f&context=&request_id=&version=1.0&callback=
当您进入该提要时,您将在 ACS 中收到您配置的 IP 数组:
[
{"Name":"Windows Live™ ID","LoginUrl":"https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2faccesscontrol.windows.net%2f&wreply=https%3a%2f%2fSOMENAME.accesscontrol.windows.net%2fv2%2fwsfederation&wp=MBI_FED_SSL&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJm0","LogoutUrl":"https://login.live.com/login.srf?wa=wsignout1.0","ImageUrl":"","EmailAddressSuffixes":[]},
{"Name":"Google","LoginUrl":"https://www.google.com/accounts/o8/ud?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=checkid_setup&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fSOMENAME.accesscontrol.windows.net%3a443%2fv2%2fopenid&openid.return_to=https%3a%2f%2fSOMENAME.accesscontrol.windows.net%3a443%2fv2%2fopenid%3fcontext%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnByb3ZpZGVyPUdvb2dsZQ2&openid.ns.ax=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ax.mode=fetch_request&openid.ax.required=email%2cfullname%2cfirstname%2clastname&openid.ax.type.email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ax.type.fullname=http%3a%2f%2faxschema.org%2fnamePerson&openid.ax.type.firstname=http%3a%2f%2faxschema.org%2fnamePerson%2ffirst&openid.ax.type.lastname=http%3a%2f%2faxschema.org%2fnamePerson%2flast","LogoutUrl":"https://www.google.com/accounts/Logout","ImageUrl":"","EmailAddressSuffixes":[]},
{"Name":"SOMENAME","LoginUrl":"https://login.windows.net/3c54a3bf-d2b0-4dae-bdd6-61d05145c8be/wsfed?wa=wsignin1.0&wtrealm=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2f&wreply=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2fv2%2fwsfederation&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJm0","LogoutUrl":"https://login.windows.net/3c54a3bf-d2b0-4dae-bdd6-61d05145c8be/wsfed?wa=wsignout1.0","ImageUrl":"","EmailAddressSuffixes":[]},
{"Name":"Facebook","LoginUrl":"https://www.facebook.com/dialog/oauth?client_id=284082335104349&redirect_uri=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2fv2%2ffacebook%3fcx%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJmlwPUZhY2Vib29rLTI4NDA4MjMzNTEwNDM0OQ2&scope=email","LogoutUrl":"https://www.facebook.com/logout.php?access_token={0}&next={1}","ImageUrl":"","EmailAddressSuffixes":[]},
{"Name":"Martensson Consulting","LoginUrl":"https://login.windows.net/8e717ff8-8b9b-4185-b61c-aea1fd724035/wsfed?wa=wsignin1.0&wtrealm=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2f&wreply=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2fv2%2fwsfederation&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJm0","LogoutUrl":"https://login.windows.net/8e717ff8-8b9b-4185-b61c-aea1fd724035/wsfed?wa=wsignout1.0","ImageUrl":"","EmailAddressSuffixes":[]}
]
当然,您只想为每个子域/租户/客户使用其中几个 IP 中的一个。您需要做的是服务器端过滤此提要,并仅提供您的客户接受的登录页面。如果它只是一个,您甚至可能希望从您的应用程序直接重定向到客户登录的单一选项。
这需要您从 ACS 下载登录示例页面并构建您自己的自定义版本。
希望这会有所帮助!