问题
I need a way to validate users within my organization (using LDAP and Active Directory) through IdentityServer3 and grant them access to a resource.
IdentityServer3 appears to be an implementation framework of the OpenID Connect protocol which holds good for authentication and authorization.
So far, I have been able to validate hard-coded users and get a JWT (JSON Web Token) access token using the InMemory implementation.
Please refer to this example:
https://rajdeep.io/2015/05/07/creating-a-single-sign-on-using-thinktecture-identity-server-part-1/
However, this would not be very useful in my scenario where I would have to validate users (stored in an active directory) in a large organization and issue them tokens to access a resource.
Here is what I have done per this link
(http://stackoverflow.com/questions/31536420/thinktecture-identityserver-v3-with-windowsauth):
Created an ActiveDirectoryUserService that implements IUserService.
namespace LDAPSSO { public class ActiveDirectoryUserService : IUserService { private const string DOMAIN = "company domain"; public Task<AuthenticateResult> AuthenticateExternalAsync(ExternalIdentity externalUser, SignInMessage message) { return Task.FromResult<AuthenticateResult>(null); } public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message) { try { using (var pc = new PrincipalContext(ContextType.Domain, DOMAIN)) { if (pc.ValidateCredentials(username, password)) { using (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, username)) { if (user != null) { return Task.FromResult(new AuthenticateResult(subject: Guid.NewGuid().ToString(), name: username)); } } } // The user name or password is incorrect return Task.FromResult<AuthenticateResult>(null); } } catch { // Server error return Task.FromResult<AuthenticateResult>(null); } } } }
Reference:"https://gist.github.com/tjrobinson/0ad6c790e90d7a385eb1"
- Created a MyClientStore that implements IClientStore
- Created a MyScopeStore that implements IScopeStore
Registered this to factory as follows:
public class Factory { public static IdentityServerServiceFactory Configure() { var factory = new IdentityServerServiceFactory { UserService = new Registration<IUserService, ActiveDirectoryUserService>(), // Don't need, but mandatory for idsvr3 ClientStore = new Registration<IClientStore, MyClientStore>(), ScopeStore = new Registration<IScopeStore, MyScopeStore>() }; return factory; }
Even if I had this working, wouldn't this need to compared against the user entered credentials via a login form that identity server provides? (Please see the image below):
Authorization Server Login
What would I need to do in order to extract user credentials from IdentityServer3 login page and validate that against Active Directory?
Is this the right approach? Please suggest.
Inputs and suggestions are appreciated.
Thank you in advance!
回答1:
I would implement Active Directory as an external identity provider.
This way you do not have to maintain any custom code and continue to use the LDAP features of AD if you are locked into them. You can make this your sole identity provider by disabling local login within Identity Server or using the idp value in the acr_values or even on a per client basis.
来源:https://stackoverflow.com/questions/38066039/c-net-validating-users-via-ldap-through-identityserver3