与企业目录不同,使用物理为基础的社会身份认证提供者并不提供关于用户的信息authenticated经常比其他的电子邮件地址,或一个名称。一些社会身份提供者,如微软的客户,提供独特的,唯一的标识符。它的应用将需要一些信息,他经常保持注册的用户,和能匹配标识符包含此信息的物理令牌。通常这是不通过的注册过程中,当用户第一accesses的应用和信息中心,然后injected作为额外的物理令牌的认证后的选择。
If there is more than one identity provider configured for the STS, it must detect which identity provider the user should be redirected to for authentication. This process is referred to as home realm discovery. The STS may be able to do this automatically based on an email address or user name that the user provides, a subdomain of the application that the user is accessing, the user’s IP address scope, or on the contents of a cookie stored in the user’s browser. For example, if the user entered an email address in the Microsoft domain, such as user@live.com, the STS will redirect the user to the Microsoft account sign-in page. On subsequent visits, the STS could use a cookie to indicate that the last sign in was with a Microsoft account. If automatic discovery cannot determine the home realm, the STS will display a home realm discovery (HRD) page that lists the trusted identity providers, and the user must select the one they want to use.
This pattern might not be suitable in the following situations:这家现代化的模式不可能在以下问题:
All users of the application can be authenticated by one identity provider, and there is no requirement to authenticate using any other identity provider. This is typical in business applications that use only a corporate directory for authentication, and access to this directory is available in the application directly, by using a VPN, or (in a cloud-hosted scenario) through a virtual network connection between the on-premises directory and the application.
应用程序的所有用户是可以被认证的通过身份提供商,不在需要使用任何其他提供商的身份。这是一个典型的应用程序使用,只有在企业和公司的认证和访问的目录,这个目录的应用程序是可用的,并通过使用VPN,或(在云- hosted scenario)和虚拟网络之间的连接,通过在线目录和明确的应用。
The application was originally built using a different authentication mechanism, perhaps with custom user stores, or does not have the capability to handle the negotiation standards used by claims-based technologies. Retrofitting claims-based authentication and access control into existing applications can be complex, and may not be cost effective.
Example 例子An organization hosts a multi-tenant Software as a Service (SaaS) application in Azure. The application incudes a website that tenants can use to manage the application for their own users. The application allows tenants to access the tenant’s website by using a federated identity that is generated by Active Directory Federation Services (ADFS) when a user is authenticated by that organization’s own Active Directory. Figure 2 shows an overview of this process.
一个组织的主机和多承租人的软件作为服务(SaaS)应用在Azure。应用包括占有者网站,可以使用它管理应用程序自己的用户。应用的占有者可以访问的网站通过使用联合身份认证和federated的融合活性的目录服务(adfs联合会),当一个用户是authenticated组织活性,与自己的目录。介绍了一个数字2的分析过程。
Figure 2 - How users at a large enterprise subscriber access the application 图2大型企业用户如何访问应用
In the scenario shown in Figure 2, tenants authenticate with their own identity provider (step 1), in this case ADFS. After successfully authenticating a tenant, ADFS issues a token. The client browser forwards this token to the SaaS application’s federation provider, which trusts tokens issued by the tenant’s ADFS, in order to get back a token that is valid for the SaaS federation provider (step 2). If necessary, the SaaS federation provider performs a transformation on the claims in the token into claims that the application recognizes (step 3) before returning the new token to the client browser. The application trusts tokens issued by the SaaS federation provider and uses the claims in the token to apply authorization rules (step 4).