Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
375 views
in Technique[技术] by (71.8m points)

single sign on - Azure Active Directory Integration with Custom RBAC

We have our own web application which performs access control based on the username and associated roles defined locally and maintained in the local database

I need to integrate our application with "Azure AD" to avail single sign-on (SSO) so that with the same user-name, we can integrate and access other SaaS applications as well. I think I can achieve this with "Azure ADAL APIs" and "Graph APIs".

However, I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally. I am not sure how to achieve this?.

Please let me know if it is feasible and what is the best option to achieve the same.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally.

You need to look at the Application Roles related functionality with Azure AD to implement your custom RBAC. It should most probably provide you what you're looking for.

On a side note, I've seen cases where people chose to do some authorization logic based on which groups the users belonged to. This is just information and not something you need to do.

I'm sharing samples related to both, Roles and Groups in this answer, but definitely look at Application Roles first and once you understand them clearly, you can decide to use Application Roles, Groups or a combination of both Roles and Groups (very possible) for your Authorization strategy.

Application Roles

Microsoft Documentation - Application Roles

Purpose - These roles are defined in the Application Manifest for an application that your organization is developing and that is registered in your Azure Active Directory. These roles are very specific to your application and can be used in application's code to implement Authorization logic for the authenticated users.

Sample Application (that uses this concept and does what you're looking for) -

Authorization in a web app using Azure AD application roles & role claims

Quick Explanation

1) Once you register your application with Azure AD, you can define custom roles (specific to your application) by editing the application manifest (JSON) in Azure AD.
Here's a sample JSON of what application role definition would look like:

"appRoles": 
[
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Creators can create Surveys",
    "displayName": "SurveyCreator",
    "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
    "isEnabled": true,
    "value": "SurveyCreator"
  },
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Administrators can manage the Surveys in their tenant",
    "displayName": "SurveyAdmin",
    "id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
    "isEnabled": true,
    "value": "SurveyAdmin"
  }
]

2) You will be able to assign these roles to Users/Groups/applications through Azure Portal or programmatically. (you could control the allowed member types for roles)

3) Now when the end users sign in to your application, the incoming Azure AD token will provide you a collection of role claims (based on whatever roles are assigned to the user) and you can take authorization decisions in your application.

if (context.User.HasClaim(ClaimTypes.Role, "Admin")) { ... }

Groups

Groups can have multiple users or other groups as members. Again management of groups is possible through Azure Portal or programmatically.

NOTE: Groups are totally independent of your application, i.e. Azure AD groups can and do exist to serve a purpose of grouping members even without your application. Application Roles on the other hand are very specific to your application, they don't mean much to anyone except your application.

Sample app which makes decisions based on Groups

Authorization in a web app using Azure AD groups & group claims


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...