Delegate authentication to an external identity provider. This pattern can simplify development, minimize the requirement for user administration, and improve the user experience of the application.
向外部身份提供程序的委托身份验证。这种模式可以简化开发,最大限度地减少对用户管理的要求,提高了应用程序的用户体验。
Context and Problem 情景和问题Users typically need to work with multiple applications provided by, and hosted by different organizations with which they have a business relationship. However, these users may be forced to use specific (and different) credentials for each one. This can:
用户通常需要工作与多个应用程序提供的,并由不同的组织,他们有一个业务关系。然而,这些用户可能被迫使用特定的(和不同的)凭据。这可以:
Cause a disjointed user experience. Users often forget sign-in credentials when they have many different ones.
造成脱节的用户体验。用户经常忘记登录凭据,当他们有许多不同的凭证时。
Expose security vulnerabilities. When a user leaves the company the account must immediately be deprovisioned. It is easy to overlook this in large organizations.
暴露安全漏洞。当用户离开公司帐户必须立即deprovisioned。在大型组织中很容易忽视这一。
Complicate user management. Administrators must manage credentials for all of the users, and perform additional tasks such as providing password reminders.
复杂用户管理。管理员必须管理所有用户的凭据,并执行额外的任务,如提供密码提醒。
Users will, instead, typically expect to use the same credentials for these applications.
用户非常愿意而不是通常期望使用相同的凭据来使用这些应用程序。
Solution 解决方案Implement an authentication mechanism that can use federated identity. Separating user authentication from the application code, and delegating authentication to a trusted identity provider, can considerably simplify development and allow users to authenticate using a wider range of identity providers (IdPs) while minimizing the administrative overhead. It also allows you to clearly decouple authentication from authorization.
实现可以使用联合标识的身份验证机制。从应用程序代码分离的用户认证和授权认证,可信身份提供商,可以大大简化开发,允许用户进行身份验证,使用范围更广泛的身份提供者(IDP)同时最大限度地减少管理费用。它还允许您从授权中清楚地分离身份验证。
The trusted identity providers may include corporate directories, on-premises federation services, other security token services (STSs) provided by business partners, or social identity providers that can authenticate users who have, for example, a Microsoft, Google, Yahoo!, or Facebook account.
可信身份提供者可能包括企业目录,处所联合服务,其它的安全令牌服务(STS)的商业合作伙伴提供,或社会身份提供商,可以验证用户的身份的人,例如,微软,谷歌,雅虎!或脸谱网帐户。
Figure 1 illustrates the principles of the federated identity pattern when a client application needs to access a service that requires authentication. The authentication is performed by an identity provider (IdP), which works in concert with a security token service (STS). The IdP issues security tokens that assert information about the authenticated user. This information, referred to as claims, includes the user’s identity, and may also include other information such as role membership and more granular access rights.
图1说明了当客户端应用程序需要访问需要身份验证的服务时,联合身份模式的原则。认证是由身份提供商进行(IDP),工作在一个安全令牌服务(STS)音乐会。国内流离失所者问题的安全令牌的身份验证的用户信息维护。这些信息,被称为索赔,包括用户的身份,并可能还包括其他信息,如角色成员和更多的细微的访问权。
Figure 1 - An overview of federated authentication 图1 -联合身份验证的概述
This model is often referred to as claims-based access control. Applications and services authorize access to features and functionality based on the claims contained in the token. The service that requires authentication must trust the IdP. The client application contacts the IdP that performs the authentication. If the authentication is successful, the IdP returns a token containing the claims that identify the user to the STS (note that the IdP and STS may be the same service). The STS can transform and augment the claims in the token based on predefined rules, before returning it to the client. The client application can then pass this token to the service as proof of its identity.