我们正在实施一个STS环境,其中Azure AD作为Amazon Web Services应用程序的身份提供程序,作为我们数据中心中需要访问AWS资源的守护程序/服务运行。此时使用NodeJS和wsfed2库:https://github.com/auth0/passport-wsfed-saml2我们希望我们的服务能够基于AWS STS Assume角色和SAML api调用获取临时AWS凭证。
这是我们已经走了多远:注意:所有Azure应用程序都由其应用程序ID GUID描述。
1.-我们可以通过此处的文档(仅通过浏览器身份验证)将AWS CONSOLE与常规用户集成到我们的AZAD中:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-amazon-web-service-tutorial
2.-我们能够假设AWS角色使用基于SAML令牌的Azure身份验证(使用基于Web服务的联盟和AWS Assume STS角色API调用以及来自Azure AWS STS应用程序的STS令牌响应:并成功登录进入基于NodeJS的测试Web应用程序,从AWS中提取数据。
3.-我们按照此处列出的文档,将守护程序应用程序验证到服务应用程序(使用Windows .NET和OAOW2.0上的Microsoft ADAL) - 这是官方Microsoft文档。 https://github.com/Azure-Samples/active-directory-dotnet-daemon
我们尚未完成的任务:
4. - 让我们的TodoListDaemon应用程序在我们的AWS STS QA'中进行身份验证Azure应用程序,因为该Service应用程序要求为每个用户分配一个ROLE,但在这种情况下,用户不是一个人,而是一个链接到注册到AAD的TodoListDaemon应用程序的.NET服务。而是在运行ADAL示例代码时出现以下错误:
An error occurred while acquiring a token Time: 10/25/2017 2:45:17 AM Error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: Application '*******' is not assigned to a role for the application 'AWS STS QA'. Trace ID: d1cc4012-b0c1-4b8f-b3d4-325031ec0000 Correlation ID: 27543468-5087-44aa-9a86-336a2b0a81c9 Timestamp: 2017-10-25 02:45:17Z ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (BadRequest). at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpClientWrapper.d__29.MoveNext() --- End of inner exception stack trace --- at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.d__181.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<GetResponseAsync>d__171.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__66.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__63.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__53.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__45.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__22.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at TodoListDaemon.Program.d__12.MoveNext() in C:\Users\Administrator\Source\Repos\active-directory-dotnet-daemon-withAWSService\TodoListDaemon\Program.cs:line 162 ErrorCode: invalid_grant StatusCode: 400 Retry: False'
4.1-在AWS STS QA&#39;上分配角色(根据上面的错误消息的要求)TodoListDaemon。
application:https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/objectId/*******/appId/******* [Problem start date and time] Wed, 18 Oct 2017 07:00:00 GMT