C# 为特定域用户启用SSO
我正在我的应用程序中使用OpenID连接身份验证。我已在Microsoft app Registration Portal中注册了我的应用程序,并从那里收到了客户端Id和密码C# 为特定域用户启用SSO,c#,azure-active-directory,microsoft-graph-api,C#,Azure Active Directory,Microsoft Graph Api,我正在我的应用程序中使用OpenID连接身份验证。我已在Microsoft app Registration Portal中注册了我的应用程序,并从那里收到了客户端Id和密码 private static string appId = ConfigurationManager.AppSettings["ida:AppId"]; private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static string graphScopes = ConfigurationManager.AppSettings["ida:GraphScopes"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = appId,
Authority = "https://login.microsoftonline.com/common/v2.0",
PostLogoutRedirectUri = redirectUri,
RedirectUri = redirectUri,
Scope = "openid email profile offline_access " + graphScopes,
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
// In a real application you would use IssuerValidator for additional checks,
// like making sure the user's organization has signed up for your app.
// IssuerValidator = (issuer, token, tvp) =>
// {
// if (MyCustomTenantValidation(issuer))
// return issuer;
// else
// throw new SecurityTokenInvalidIssuerException("Invalid issuer");
// },
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async(context) =>
{
var code = context.Code;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
TokenCache userTokenCache = new SessionTokenCache(signedInUserID,
context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
ConfidentialClientApplication cca = new ConfidentialClientApplication(
appId,
redirectUri,
new ClientCredential(appSecret),
userTokenCache,
null);
string[] scopes = graphScopes.Split(new char[] { ' ' });
AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);
},
AuthenticationFailed = (context) =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
}
此代码启用SSO,但来自我使用的任何Microsoft帐户common
权限。但我希望来自特定目录或域的用户登录到我的应用程序
我试过这个
Authority = "https://login.microsoftonline.com/{tenant_id}",
而不是
Authority = "https://login.microsoftonline.com/common/v2.0",
但它不起作用,并且Microsoft登录页不显示在浏览器中。您已经接近,但您缺少了结尾处的
/v2.0
对于多租户应用程序(AAD和MSA帐户),您使用:
对于单租户应用程序(仅限AAD),您需要使用:
https://login.microsoftonline.com/{tenant_id}/v2.0
/v2.0
表示您的应用程序使用Azure AD的“v2.0应用程序模型”(也称为“v2端点”)。我这边还有一个问题。是否可以只允许某个域中特定组的用户登录我的应用程序?如果是的话,那我怎么做呢
https://login.microsoftonline.com/{tenant_id}/v2.0