Authenticating extranet web site in iframe using Windows Identity Foundation

2018-07-02 06:51:39

Scenario: A number of web sites must be displayed through iframes on my company extranet. The extranet uses SSL, and Windows authentication based on Active Directory. Each of the iframe'd web sites requires an authenticated user, but it is a requirement that the user should not be asked to log on manually. The authentication mechanism for each of the web sites has not been determined yet.

Problem: I need to find out how to accomplish an automatic log on in the iframes. I can require the iframe'd web sites to use a specific authentication mechanism that suits my purpose, although I do need to supply them with specific user-information from the AD.

I have been advised to use Windows Identity Foundation for solving the authentication challenge. I am considering two solutions, but as a WIF novice I am unsure which is better, and if they are even possible.

Solution 1: I create a custom Security Token Service with the AD claims. When the user browses to one of my iframe pages, the page programmatically gets a token from the STS, and somehow adds the token to the iframe. Looking at samples on the net I believe I understand how to build the STS and get the token programmatically. But how do I use it with the iframe? Inserting it in the iframe URL ( http://website/default.aspx?token=xxx ) seems unsafe.

Solution 2: I create the same STS. The iframe'd web sites are configured to use the STS as authentication provider. When the user browses to one of my iframe pages, the iframe'd web site automatically queries the STS for a token, and logs the user in. But how does the iframe'd web part get the token - is the original user available in the request context, or how does it work? And can this be done inside an iframe at all - I recall having read something about cookies not being allowed in iframes?

Answer to the above - or perhaps a different solution - is most welcome.

Go for solution #2. If the pages within the iframes (from now on the relying party - RP) are configured to use the STS as authentication provider, then when first loaded they will redirect the browser (the iframe) to the STS. The STS knows that the user allready has a single signon session (from logging onto the extranet initially) and therefore issues a session token which it delivers to the relying party as a HTTP POST that is intercepted by WIF and delivered to the client in the form of a cookie (by default, but this can be overriden using custom session token handlers). Some browsers do not initially allow cookies within iframes but by sending a p3p header in the responses from the relying party this can be allowed.

链接地址: http://www.djcxy.com/p/90002.html

上一篇: 为什么叫XMLHttpRequest？

下一篇: 使用Windows Identity Foundation在iframe中验证Extranet网站