这个模型通常被称为基于访问控制要求。应用程序和服务授权访问基于令牌中包含的声明的功能和功能。服务需要认证必须信任IDP。客户端应用程序联系IDP执行身份验证。如果认证成功,IDP返回令牌包含识别用户的STS的要求(注意,IDP和STS可以相同的服务)。STS可以变换和增加基于预定义的规则的令牌请求,然后返回到客户端。客户端应用程序可以将此令牌传递给服务作为其身份的证明。
Note:注:
In some scenarios there may be additional STSs in the chain of trust. For example, in the Microsoft Azure scenario described later, an on-premises STS trusts another STS that is responsible for accessing an identity provider to authenticate the user. This approach is common in enterprise scenarios where there is an on-premises STS and directory.
在某些情况下有可能在信任链附加的STS。例如,在微软的Azure场景描述后,对房产信托的另一个STS STS,负责访问身份提供商对用户身份进行验证。这种方法在企业的情况下,有一个处所STS和目录是常见的。
Federated authentication provides a standards-based solution to the issue of trusting identities across diverse domains, and can support single sign on. It is becoming more common across all types of applications, especially cloud-hosted applications, because it supports single sign on without requiring a direct network connection to identity providers. The user does not have to enter credentials for every application. This increases security because it prevents the proliferation of credentials required to access many different applications, and it also hides the user’s credentials from all but the original identity provider. Applications see just the authenticated identity information contained within the token.
联合认证提供了一个基于标准的解决方案的问题,在不同的领域的信任的身份,并可以支持单点登录。它正变得越来越常见,在所有类型的应用程序,特别是云托管应用程序,因为它支持单点登录,而不需要直接的网络连接到身份提供商。用户不必为每一个应用程序输入凭据。这增加了安全性,因为它防止访问许多不同的应用程序所需的凭据的增殖,它也隐藏了用户的凭据,从所有,但原来的身份提供者。应用程序只看到包含在令牌中的身份验证的身份信息。
Federated identity also has the major advantage that management of the identity and credentials is the responsibility of the identity provider. The application or service does not need to provide identity management features. In addition, in corporate scenarios, the corporate directory does not need to know about the user (providing it trusts the identity provider), which removes all the administrative overhead of managing the user identity within the directory.
联合身份也有管理的身份和凭据的主要优点是身份提供者的责任。应用程序或服务不需要提供身份管理功能。此外,在企业场景中,企业目录不需要知道用户(提供它信任的身份提供程序),它删除了目录中管理用户身份的所有管理开销。
Issues and Considerations 问题与思考Consider the following when designing applications that implement federated authentication:
Authentication can be a single point of failure. If you deploy your application to multiple datacenters, consider deploying your identity management mechanism to the same datacenters in order to maintain application reliability and availability.
认证可以是一个单一的故障点。如果你部署到多个数据中心的应用程序,考虑部署你的身份管理机制,同一数据中心为了保持应用程序的可靠性和可用性。
Authentication mechanisms may provide facilities to configure access control based on role claims contained in the authentication token. This is often referred to as role-based access control (RBAC), and it may allow a more granular level of control over access to features and resources.
认证的机制可能为它配置访问控制和基于角色的认证令牌类型的物理位置。这是一个通常称为角色为基础的存取控制(rbac),它可以允许更多的控制和granular水平的特点和资源的访问。
Unlike a corporate directory, claims-based authentication using social identity providers does not usually provide information about the authenticated user other than an email address, and perhaps a name. Some social identity providers, such as a Microsoft account, provide only a unique identifier. The application will usually need to maintain some information on registered users, and be able to match this information to the identifier contained in the claims in the token. Typically this is done through a registration process when the user first accesses the application, and information is then injected into the token as additional claims after each authentication.