我有一个 Multi-Tenancy 应用程序,其中每个租户都可以为 WsFed 或 OpenIdConnect(Azure) 或 Shibboleth(Kentor) 定义自己的元数据 URl、ClientId、Authority 等。所有租户都存储在 DB 表中并在 OwinStartup 中注册,如下所示:
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
// CookieName = "Kuder.SSO",
LoginPath = new PathString("/Account/Login-register"),
Provider = new CookieAuthenticationProvider
{
//Enables the application to validate the security stamp when the user logs in.
//This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
OrganizationModel objOrg = new OrganizationModel();
var orgList = objOrg.GetOrganizationList();
foreach (OrganizationModel org in orgList)
{
switch (org.AuthenticationName)
{
case "ADFS":
WsFederationAuthenticationOptions objAdfs = null;
objAdfs = new WsFederationAuthenticationOptions
{
AuthenticationType = org.AuthenticationType,
Caption = org.Caption,
BackchannelCertificateValidator = null,
MetadataAddress = org.MetadataUrl,
Wtrealm = org.Realm,
SignOutWreply = org.Realm,
Notifications = new WsFederationAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
Logging.Logger.LogAndEmailException(context.Exception);
context.Response.Redirect(ConfigurationManager.AppSettings["CustomErrorPath"].ToString() + context.Exception.Message);
return Task.FromResult(0);
}
},
TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false },
};
app.UseWsFederationAuthentication(objAdfs);
break;
case "Azure":
OpenIdConnectAuthenticationOptions azure = null;
azure = new OpenIdConnectAuthenticationOptions
{
AuthenticationType = org.AuthenticationType,
Caption = org.Caption,
BackchannelCertificateValidator = null,
Authority = org.MetadataUrl,
ClientId = org.IDPProvider.Trim(),
RedirectUri = org.Realm,
PostLogoutRedirectUri = org.Realm,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
Logging.Logger.LogAndEmailException(context.Exception);
context.Response.Redirect(ConfigurationManager.AppSettings["CustomErrorPath"].ToString() + context.Exception.Message);
return Task.FromResult(0);
}
},
TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false },
};
app.UseOpenIdConnectAuthentication(azure);
break;
case "Shibboleth":
var english = CultureInfo.GetCultureInfo("en-us");
var organization = new Organization();
organization.Names.Add(new LocalizedName("xxx", english));
organization.DisplayNames.Add(new LocalizedName("xxx Inc.", english));
organization.Urls.Add(new LocalizedUri(new Uri("http://www.aaa.com"), english));
var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId(org.Realm),
ReturnUrl = new Uri(org.Realm),
Organization = organization,
},
AuthenticationType = org.AuthenticationType,
Caption = org.Caption,
SignInAsAuthenticationType = "ExternalCookie",
};
authServicesOptions.IdentityProviders.Add(new IdentityProvider(
new EntityId(org.IDPProvider), authServicesOptions.SPOptions)
{
MetadataLocation = org.MetadataUrl,
LoadMetadata = true,
SingleLogoutServiceUrl = new Uri(org.Realm),
});
app.UseKentorAuthServicesAuthentication(authServicesOptions);
break;
default:
break;
}
}
在 Db 中启用同一提供商(ADFS、Azure 或 Shibboleth)的多个组织时,出现错误。我试过“app.Map”来扩展它。但是虽然没有成功。此外,我使用以下代码注销所有提供程序(ADFS 和 Azure),但注销也失败。
Provider 是我在整个组织中使用的唯一身份验证类型。
HttpContext.GetOwinContext().Authentication.SignOut(provider, Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie, DefaultAuthenticationTypes.ExternalCookie);
寻求帮助/指导。
注意:每当添加新租户时,可以回收 appdomain,不需要动态重建管道使事情变得复杂。
最佳答案
Kentor.AuthServices 中间件支持多个实例,但您需要为每个实例分配一个特定的 ModulePath。没有它,第一个 Kentor.AuthServices 中间件将处理所有传入的请求,并在来自配置了其他实例的 IdentityProviders 的消息上抛出错误。
我知道其他一些 Katana 提供程序具有在回调期间使用的类似“隐藏”端点,但我不知道如果加载了多个中间件实例,它们会如何表现。
作为替代方案,Kentor.AuthServices 中间件还支持将多个身份提供者注册到一个实例。然后,您可以在运行时将 IdentityProvider 实例添加和移动到 KentorAuthServicesAuthenticationOptions 并使其立即生效。但是,如果您为其他协议(protocol)为每个租户使用一个中间件,这可能不是理想的解决方案。