设为首页 收藏本站
查看: 1725|回复: 0

[经验分享] 尽信书不如无书



发表于 2017-7-1 20:10:09 | 显示全部楼层 |阅读模式
  From the book 《Modern Authentication with Azure Active Directory for Web Applications》

  The Security Assertion Markup Language, SAML for short, appeared on the scene mostly for handling this very problem. Its origin dates back to the early 2000s as a concerted effort of various industry players that wanted to establish an interoperable solution to the SSO problem. SAML 2.0 is the most widely adopted version, with some systems (especially those in academia) still on 1.1.>

  Although both Azure Active Directory and Active Directory Federation Service (ADFS) (from version 2 onward) support SAML, the .NET Framework does not offer any>

  In a nutshell, SAML sidesteps the shortcomings of domain-bound cookies by, you guessed it, adding an extra abstraction layer. Instead of>
  SAML follows precisely the blueprint introduced in the claims-based>Roles

  I am sure you noticed that the sample scenario I introduced earlier contained one entity playing the role of the>
  In the terminology of claims-based>Artifacts

  SAML is guilty of having introduced not one but two widely successful technologies: the protocol it defines and the specific token format that the protocol’s messages exchange. I say “guilty”>
  In SAML parlance, tokens are called assertions. They follow the exact token semantic described in the preceding section: they are a vessel for the>  The SAML acronym, together with the epoch in which it was conceived, probably already gave away that SAML assertions are based on XML. In fact, the entire specification defines everything in terms of XML. That leads to a very expressive, powerful format that can represent pretty much anything. However, all that expressivity comes with various drawbacks. The main one is that XML is very verbose, which leads to big tokens. Furthermore, in XML, the same document can be expressed in multiple equivalent representations, and that flexibility becomes a problem when you need to perform signatures, where two elements listed in a different order can break a signature verification. Those are the main reasons that you won’t encounter SAML assertions in modern protocols later in the book, apart from cases in which they are used to bridge existing solutions to new ones.
  It is tempting for me to use the SAML token structure to start entering into the mechanics of how claims are defined, tokens are scoped, and signatures are applied, but, as I said, SAML is not at the core of the modern protocols that are the main focus of this book. Those explanations will have to wait until a bit later.

  Another important artifact defined by SAML is the format of its metadata documents. You already encountered the>Messages

  SAML defines lots of different messages that support various sign-in flows, from the one triggered by an unauthenticated request to an SP (similar to what’s described in the claims-identity section), to one in which the>  The other interesting category of SAML messages, Single Logout, focuses on providing a mechanism to propagate a sign-out operation to all the applications participating in an SSO session. SAML defines many other messages for various other operations, which I won’t mention here.
  SAML has had an impressive ride from its first versions in the early 2000s. It’s still going strong in many of today’s SSO deployments in enterprises, government, and education. SAML is widely supported in SSO products, developer libraries (across platforms and languages), and cloud services. For many of those products, the SAML functionality is the centerpiece of their offering. As I mentioned, Active Directory itself (both ADFS from version 2 onward and Azure AD) supports it. On the software vendor side, many applications in active development today use SAML, including software as a service (SaaS) apps. The protocol is alive and well.

  That said, if you are starting to develop a new solution, SAML might not be your best choice.>

运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-390163-1-1.html 上篇帖子: 是什么让C#成为最值得学习的编程语言 下篇帖子: BEGINNING SHAREPOINT® 2013 DEVELOPMENT 第6章节--在SharePoint2013中开发、集成和构建应用程序
您需要登录后才可以回帖 登录 | 立即注册






客服E-mail:kefu@iyunv.com 客服QQ:1061981298

QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表