SAML和Windows身份验证 - 应用权限两次?
https://sharepoint.stackexchange.com//questions/93895
-
10-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
我们的SharePoint Farm包含多个Web应用程序 - 我们希望为我们的员工提供SSO经验,无论是从非托管机(如家用PC)还是管理机器(EX:Work PC)。
我们将使用SAML身份验证(通过ADF)来实现此功能的非托管机器和托管计算机的Windows身份验证。如果我们要实现这一点,那么这是否意味着我们必须为每个用户应用两次权限。示例:对于员工A访问站点A,我们必须应用标识符声明(在我们的情况下是员工A的电子邮件),以及Windows身份验证的SamAccountName作为站点A的权限?
我们可以更好地为提供一条验证的路径 - Unmananged和托管PC的SAML身份验证?其他公司如何应对这一挑战?
谢谢。
解决方案
The best approach is SAML for all users. With ADFS & IE setup correctly, the managed PC log-in experience can be seamless (Integrated NTLM), which is likely what you are looking for.
其他提示
You should be understanding the concept of Authentication Providers in Sharepoint which makes use of claims based authentication. For your requirement you need to implement SSO for your application which would be done by STS in Sharepoint 2010.You need to implement and get the SAML2.0 token from Identity provider(that is where your employees login externally) and convert (email/roles other claims) to SAML1.1 token because Sharepoint does not understand SAML 2.0.So you need to write a code for this conversion.Then run the powershell scripts so that your web application can trust the claims. http://technet.microsoft.com/en-us/library/ff607753.aspx
For internal users use the windows authentication(working url) . No need to have 2 permissions.
