【问题标题】:how to build domain based Multi-tenant SaaS solution built using OWIN claims based authentication如何构建使用基于 OWIN 声明的身份验证构建的基于域的多租户 SaaS 解决方案
【发布时间】:2014-12-01 01:16:45
【问题描述】:

我正在尝试创建一个 SaaS 解决方案,我希望我的应用程序的每个租户都有自己的访问控制服务 (ACS) 服务器或身份服务器配置,我计划通过当前正在访问的子域来确定当前租户

例如tenant1.Myapp.com、tenant2.Myapp.com

我希望能够为每个租户提供不同的租户配置,并且我不希望每个租户都知道当前注册的其他租户。

我将为每个租户定制品牌

public partial class Startup
{
    private void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions() { LoginPath = new Microsoft.Owin.PathString("/Authentication/SignIn") });

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                MetadataAddress = "https://XXXXX.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml",
                Wtrealm = "urn:operations.web"
            }
        );
    }
}

上述代码适用于单租户应用程序,但无法提前知道要使用哪个 ACS 身份提供者进行身份验证。

一些租户希望能够使用 Google、Microsoft Account、Facebook 登录用户

【问题讨论】:

    标签: owin wif claims-based-identity acs katana


    【解决方案1】:

    我看到您正在使用 ACS 在您的应用程序中启用多个 IP。尽管 ACS 功能正在合并到 AAD 中,但这是很好的第一步。

    在您的情况下,您需要从 ACS 下载所有 IP 的 json 提要,然后根据包含子域名的请求标头中的信息对其进行过滤。

    这里的 Mu 博客文章将带您一路走到这一步,然后您需要自己完成剩下的路。

    http://magnusmartensson.com/mvc-application-using-owin-to-achieve-federated-authentication

    典型的 ACS json 提要地址如下所示:

    https://{mytenant}.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2flocalhost%3a7664%2f&reply_to=http%3a%2f%2flocalhost %3a7664%2f&context=&request_id=&version=1.0&callback=

    当您进入该提要时,您将在 ACS 中收到您配置的 IP 数组:

    [
    {"Name":"Windows Live™ ID","LoginUrl":"https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2faccesscontrol.windows.net%2f&wreply=https%3a%2f%2fSOMENAME.accesscontrol.windows.net%2fv2%2fwsfederation&wp=MBI_FED_SSL&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJm0","LogoutUrl":"https://login.live.com/login.srf?wa=wsignout1.0","ImageUrl":"","EmailAddressSuffixes":[]},
    {"Name":"Google","LoginUrl":"https://www.google.com/accounts/o8/ud?openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0&openid.mode=checkid_setup&openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.realm=https%3a%2f%2fSOMENAME.accesscontrol.windows.net%3a443%2fv2%2fopenid&openid.return_to=https%3a%2f%2fSOMENAME.accesscontrol.windows.net%3a443%2fv2%2fopenid%3fcontext%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnByb3ZpZGVyPUdvb2dsZQ2&openid.ns.ax=http%3a%2f%2fopenid.net%2fsrv%2fax%2f1.0&openid.ax.mode=fetch_request&openid.ax.required=email%2cfullname%2cfirstname%2clastname&openid.ax.type.email=http%3a%2f%2faxschema.org%2fcontact%2femail&openid.ax.type.fullname=http%3a%2f%2faxschema.org%2fnamePerson&openid.ax.type.firstname=http%3a%2f%2faxschema.org%2fnamePerson%2ffirst&openid.ax.type.lastname=http%3a%2f%2faxschema.org%2fnamePerson%2flast","LogoutUrl":"https://www.google.com/accounts/Logout","ImageUrl":"","EmailAddressSuffixes":[]},
    {"Name":"SOMENAME","LoginUrl":"https://login.windows.net/3c54a3bf-d2b0-4dae-bdd6-61d05145c8be/wsfed?wa=wsignin1.0&wtrealm=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2f&wreply=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2fv2%2fwsfederation&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJm0","LogoutUrl":"https://login.windows.net/3c54a3bf-d2b0-4dae-bdd6-61d05145c8be/wsfed?wa=wsignout1.0","ImageUrl":"","EmailAddressSuffixes":[]},
    {"Name":"Facebook","LoginUrl":"https://www.facebook.com/dialog/oauth?client_id=284082335104349&redirect_uri=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2fv2%2ffacebook%3fcx%3dcHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJmlwPUZhY2Vib29rLTI4NDA4MjMzNTEwNDM0OQ2&scope=email","LogoutUrl":"https://www.facebook.com/logout.php?access_token={0}&next={1}","ImageUrl":"","EmailAddressSuffixes":[]},
    {"Name":"Martensson Consulting","LoginUrl":"https://login.windows.net/8e717ff8-8b9b-4185-b61c-aea1fd724035/wsfed?wa=wsignin1.0&wtrealm=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2f&wreply=https%3a%2f%2fviewmybox.accesscontrol.windows.net%2fv2%2fwsfederation&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJmJnJ5PWh0dHAlM2ElMmYlMmZsb2NhbGhvc3QlM2E3NjY0JTJm0","LogoutUrl":"https://login.windows.net/8e717ff8-8b9b-4185-b61c-aea1fd724035/wsfed?wa=wsignout1.0","ImageUrl":"","EmailAddressSuffixes":[]}
    

    ]

    当然,您只想为每个子域/租户/客户使用其中几个 IP 中的一个。您需要做的是服务器端过滤此提要,并仅提供您的客户接受的登录页面。如果它只是一个,您甚至可能希望从您的应用程序直接重定向到客户登录的单一选项。

    这需要您从 ACS 下载登录示例页面并构建您自己的自定义版本。

    希望这会有所帮助!

    【讨论】:

    • 用户通过身份验证后如何让 ACS 将用户返回到正确的tenant1.MyApp.com?
    • 除了您用来从上述 ACS 获取 IP 的 url 中的领域属性外,还有一个 reply_to 地址。您还可以使用 context 参数通过身份验证过程(加密)发送任何上下文数据,并在用户通过 ACS 从 IP 带着她的令牌返回时返回给您。
    猜你喜欢
    • 1970-01-01
    • 2017-05-26
    • 1970-01-01
    • 2019-01-15
    • 2012-03-26
    • 2016-01-10
    • 1970-01-01
    • 2013-07-20
    • 2010-11-26
    相关资源
    最近更新 更多