How SSO woul work if you have 4 applications which you want to secure them using OpenID Connect token from ADFS?
如果您有4个应用程序要使用ADFS中的OpenID Connect令牌保护它们,SSO如何工作?
These 4 applications has no user registery, however they need different claims from IdP (ADFS). Do you need to create 4 different user accounts for each user to be able to log on into all 4 applications?
这4个应用程序没有用户注册,但他们需要来自IdP(ADFS)的不同声明。您是否需要为每个用户创建4个不同的用户帐户才能登录到所有4个应用程序?
If you need 4 different user accounts for each user, then do the user need to log-out first from app_1 and log-on on app_2?
如果每个用户需要4个不同的用户帐户,那么用户是否需要先从app_1注销并在app_2上登录?
I appreciate all kind of advice.
我很感激所有的建议。
1 个解决方案
#1
6
Assuming each application receives an ID Token from ADFS in OIDC mode, then each application as part of that ID Token will have access to the subject/user id, and can exchange that ID token for the user profile. ADFS running as OIDC OP will need to be configured to release the proper claims for each application, and of course each application should be requesting the proper needed scopes on initial authentication so ADFS can grant the claims needed.
假设每个应用程序在OIDC模式下从ADFS接收ID令牌,则作为该ID令牌的一部分的每个应用程序将具有对主题/用户ID的访问权,并且可以为该用户配置文件交换该ID令牌。作为OIDC OP运行的ADFS需要配置为为每个应用程序发布正确的声明,当然每个应用程序应该在初始身份验证时请求适当的所需范围,以便ADFS可以授予所需的声明。
Each application receives an ID token, and begins to establish their own session tied to that user. Since application sessions are independent of the SSO sessions, you need a coordinated effort if you need to implement single logout.
每个应用程序都会收到一个ID令牌,并开始建立与该用户绑定的自己的会话。由于应用程序会话独立于SSO会话,因此如果需要实施单点注销,则需要协同工作。
#1
6
Assuming each application receives an ID Token from ADFS in OIDC mode, then each application as part of that ID Token will have access to the subject/user id, and can exchange that ID token for the user profile. ADFS running as OIDC OP will need to be configured to release the proper claims for each application, and of course each application should be requesting the proper needed scopes on initial authentication so ADFS can grant the claims needed.
假设每个应用程序在OIDC模式下从ADFS接收ID令牌,则作为该ID令牌的一部分的每个应用程序将具有对主题/用户ID的访问权,并且可以为该用户配置文件交换该ID令牌。作为OIDC OP运行的ADFS需要配置为为每个应用程序发布正确的声明,当然每个应用程序应该在初始身份验证时请求适当的所需范围,以便ADFS可以授予所需的声明。
Each application receives an ID token, and begins to establish their own session tied to that user. Since application sessions are independent of the SSO sessions, you need a coordinated effort if you need to implement single logout.
每个应用程序都会收到一个ID令牌,并开始建立与该用户绑定的自己的会话。由于应用程序会话独立于SSO会话,因此如果需要实施单点注销,则需要协同工作。