我们正在使用Azure AD作为Amazon Web Services应用程序的身份提供程序实现STS环境,这些应用程序作为数据中心中需要访问AWS资源的守护程序/服务运行 . 此时使用NodeJS和wsfed2库:https://github.com/auth0/passport-wsfed-saml2我们希望我们的服务能够基于具有SAML api调用的AWS STS Assume角色获取临时AWS凭证 .
这是我们已经走了多远:注意:所有Azure应用程序都由其应用程序ID GUID描述 .
1.-我们可以通过此处的文档(通过仅浏览器身份验证)将AWS CONSOLE与常规用户集成到我们的AZAD中:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-amazon-web-service-tutorial
2.-我们能够假设AWS角色使用基于SAML令牌的Azure身份验证(使用基于Web服务的联盟和AWS Assume STS角色API调用以及来自Azure AWS STS应用程序的STS令牌响应:并成功登录测试基于NodeJS的Web应用程序,用于从AWS提取数据 .
3.-我们按照此处列出的文档,将Daemon应用程序验证到服务应用程序中(使用Windows .NET和OAOW2.0上的Microsoft ADAL) - 这是官方Microsoft文档 . https://github.com/Azure-Samples/active-directory-dotnet-daemon
我们还没有完成的事情:
-
- 要让我们的TodoListDaemon应用程序在我们的“AWS STS QA”Azure应用程序中进行身份验证,因为该服务应用程序要求为每个用户分配一个ROLE,但在这种情况下,用户不是一个人,而是一个.NET服务链接到注册到AAD的TodoListDaemon应用程序 . 相反,我们在运行ADAL示例代码时遇到以下错误:
An error occurred while acquiring a token Time: 10/25/2017 2:45:17 AM Error: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50105: Application '*******' is not assigned to a role for the application 'AWS STS QA'. Trace ID: d1cc4012-b0c1-4b8f-b3d4-325031ec0000 Correlation ID: 27543468-5087-44aa-9a86-336a2b0a81c9 Timestamp: 2017-10-25 02:45:17Z ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (BadRequest). at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpClientWrapper.d__29.MoveNext() --- End of inner exception stack trace --- at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.d__181.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<GetResponseAsync>d__171.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__66.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__63.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__53.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__45.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__22.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at TodoListDaemon.Program.d__12.MoveNext() in C:\Users\Administrator\Source\Repos\active-directory-dotnet-daemon-withAWSService\TodoListDaemon\Program.cs:line 162 ErrorCode: invalid_grant StatusCode: 400 Retry: False'
4.1-在'AWS STS QA'上分配角色(根据上面的错误消息的要求)TodoListDaemon
application:https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/objectId/*******/appId/******* [Problem start date and time] Wed, 18 Oct 2017 07:00:00 GMT