MVC3 Custom MembershipProvider&活动目录

时间:2012-01-15 10:48:22

标签: asp.net-mvc-3 active-directory custom-membershipprovider

我有一个MVC3应用程序,它有一个自定义成员资格提供程序和存储在数据库中的用户/角色。根据需要在应用程序中手动创建用户并分配适当的角色。

我现在想扩展应用程序以提供使用Active Directory的选项,但是因为应用程序有几个自定义字段+用户对FK查找的表,我想我仍然需要自定义默认活动目录成员资格提供程序的版本。

有没有人在SF上做过类似他们可以与我分享的事情? 感谢

1 个答案:

答案 0 :(得分:0)

我知道这是一个老问题,但是......

让我们看看从哪里开始

在我的网络应用程序中,我直接使用ADFS服务器设置基于联合声明的身份验证。我无法找到一个关于如何做到这一点的好教程,因为它并非无足轻重。但是有很多关于如何使用azure ACS作为中间人的参考。这个至少可以让你开始:

http://haishibai.blogspot.com/2011/05/tutorialaspnet-mvc-3-claim-based.html

一旦你开始工作,你只需要做几件事。

在数据库用户表中添加几个可以与AD链接的属性。我将AD GUID存储在我的中,但我也使用电子邮件地址作为辅助。这允许我在我的应用程序中创建用户,然后让他们使用AD进行身份验证。我只是将他们的电子邮件作为声明传回,在我的应用中将其与用户匹配,然后将AD GUID添加到用户。

我还利用继承来进行身份验证。我的所有控制器都继承自BaseController,因此它们会获得这种标准行为。

public class BaseController
{
    protected override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            //read in the claims that we got back from ADFS
            IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;
            IClaimsIdentity ici = icp.Identity as IClaimsIdentity;

            var claims = ici.Claims;

            // This is a claim that I add manually to see if I've already synced
            // ADFS user with DB user
            var ppid = claims.FirstOrDefault(x => x.ClaimType == ClaimTypes.PPID);
            if (ppid == null)
            {
                //query/sync user.
                var guidString = claims.FirstOrDefault(x => x.ClaimType == ClaimTypes.Name).Value;

                // get AD GUID 
                var userGuid = new Guid(System.Convert.FromBase64String(guidString));

                //look up user
                var currentUser = UserRepository.FetchUserByGUID(userGuid);

                //if user not found try fetch by email.
                if (currentUser == null)
                {
                    var email = claims.FirstOrDefault(x => x.ClaimType == ClaimTypes.Email).Value;
                    currentUser = UserRepository.FetchByEmail(email);
                }

                //If user is still not found create User
                if (currentUser == null)
                {
                    currentUser = new Models.User();
                    BaseRepository.GetDataContext().Users.Add(currentUser);
                }

                //update users information using AD claim as master record
                currentUser.ADID = userGuid;
                currentUser.Name = claims.FirstOrDefault(x => x.ClaimType == ClaimTypes.GivenName).Value;
                currentUser.EmailAddress = claims.FirstOrDefault(x => x.ClaimType == ClaimTypes.Email).Value;
                currentUser.LastLoginDate = DateTime.UtcNow;
                currentUser.LoginCount = currentUser.LoginCount + 1;

                BaseRepository.GetDataContext().SaveChanges();

                // Now that you have your AD user linked to your user record 
                // in your database...
                // Create new claims in your ADFS token that include all the roles that
                // your user has.  That way you can just piggyback on claims based 
                // authentication
                foreach (var r in currentUser.Roles)
                {
                    claims.Add(new Claim(ClaimTypes.Role, r.Name));
                }

                // Add userid claim so that we know that this users claims have already
                // been sync with my database
                claims.Add(new Claim(ClaimTypes.PPID, currentUser.Id.ToString()));
            }
        }

        base.OnAuthorization(filterContext);
    }

希望有所帮助!

相关问题
最新问题