I am developing an ASP.NET MVC application. I need to support several authentication mechanisms (this application is used by several clients, each of which has its own service provider). One auth provider will be Active Directory. Integrating AD for authentication is simple and I have no problem with this.
For authorization, roles will be stored in a local database (NOTE: We cannot use Active Directory groups for authorization. Roles must be local application roles because we support several authn providers and AD administrators will not want to create user groups in AD only for our applications). My expectation is that we will need to create a stub for user accounts in our local database in order to map user-assigned-to-role roles. These account accounts will also be used to indicate which users are allowed to access the application (not all AD database users should have access).
The expected control flow will be:
- The user accesses the login page> enters credentials> credentials for the application server.
- The application checks credentials against AD. At this point, we know if the user is authenticated.
- The application checks the SID of the user to see if there is a stub account with this SID in the local database. If not, the application will display an "unauthorized" error message to the user.
- The application will look for roles for the user in the user-is-assign-which-role database table assigned to the local database.
User information, including roles, will be stored as claims, and the application will use typical claims-based authorization (for example, ClaimsAuthorizationManager).
- "" ? , - AD script AD , ASP.NET, (. , - , SID AD , , ).
/ , , . , , , ( / AD ). , - , AD, , , "", .
- ? , "" ? ?