Azure 智能卡身份验证
Azure smartcard auth
我想了解智能卡身份验证是如何在 Azure 上进行的。我知道我们需要本地 ADFS 但是我想弄清楚两件事:
1) Azure 和客户端之间究竟发生了什么交换?如下所示:
GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token+code&redirect_uri=http%3A%2F%2Flocalhost%3a12345
&response_mode=form_post&scope=openid&resource=https%3A%2F%2Fservice.contoso.com%2F&state=12345&nonce=678910
2) 智能卡是如何认证的?是质询响应还是证书通过验证?在质询响应的情况下,客户端生成由 ADFS 验证的签名数据?
1)What exact exchange takes places between Azure and client?
您提到的示例请求是对 get access tokens, for the exact exchange between Azure and client, just refer to this link 的登录请求。
2) How is Smartcard Authenticated? Is it a challenge response or the certificate is verified? In case of challenge response the client generates a signed data that is verified by ADFS?
我觉得可能是challenge response,客户端会生成一个经过ADFS验证的签名数据
您可以参考此 article,如 How federated access works with Windows Azure (Step 4) 中所述:
The KDC issues the client a Service Ticket, containing the multifactor claims (this assumes that IT policy forced smartcard authentication at desktop login time, otherwise, AD FS can challenge to present a smartcard during this Windows Azure Management Portal login sequence).
The client PC presents the Service Ticket to AD FS. AD FS validates the Kerberos ticket and generates a signed SAML token for Windows Azure AD in the next step. AD FS will only send the signed SAML token if the credentials are valid.
我想了解智能卡身份验证是如何在 Azure 上进行的。我知道我们需要本地 ADFS 但是我想弄清楚两件事:
1) Azure 和客户端之间究竟发生了什么交换?如下所示:
GET https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token+code&redirect_uri=http%3A%2F%2Flocalhost%3a12345 &response_mode=form_post&scope=openid&resource=https%3A%2F%2Fservice.contoso.com%2F&state=12345&nonce=678910
2) 智能卡是如何认证的?是质询响应还是证书通过验证?在质询响应的情况下,客户端生成由 ADFS 验证的签名数据?
1)What exact exchange takes places between Azure and client?
您提到的示例请求是对 get access tokens, for the exact exchange between Azure and client, just refer to this link 的登录请求。
2) How is Smartcard Authenticated? Is it a challenge response or the certificate is verified? In case of challenge response the client generates a signed data that is verified by ADFS?
我觉得可能是challenge response,客户端会生成一个经过ADFS验证的签名数据
您可以参考此 article,如 How federated access works with Windows Azure (Step 4) 中所述:
The KDC issues the client a Service Ticket, containing the multifactor claims (this assumes that IT policy forced smartcard authentication at desktop login time, otherwise, AD FS can challenge to present a smartcard during this Windows Azure Management Portal login sequence).
The client PC presents the Service Ticket to AD FS. AD FS validates the Kerberos ticket and generates a signed SAML token for Windows Azure AD in the next step. AD FS will only send the signed SAML token if the credentials are valid.