2017-02-07 09:31
浏览 86

在PHP中获取Azure AD用户角色

I have a small application I am writing in PHP where I need to check if a given user has a given role assigned to them. I am using Azure App Service with app service authentication enabled to authenticate users against the azure active directory. As part of the application I need to get the users username, display name, and if they are a member of one or more of three security groups which they could be a part of to define what access levels they have within the application.

I need to do it this way as I can't have the roles managed within the application, instead it needs to be managed through active directory security groups. I am seeking a method that is native to azure app service (as in ideally not doing a separate LDAP lookup if possible). I know how to extract the authenticated username from the header data sent to the application (HTTP_X_MS_CLIENT_PRINCIPAL_NAME) however I don't know how I can get the full display name and how to check if a user has specific roles assigned to them. I have already output a copy of the entire php $_SERVER super global array to see if the data I am seeking is in there but I can't find it in there.

For the purposes of this question make the following assumptions...

user1@domain.com is assigned the roles role1, role2, role3
user2@domain.com is assigned the role role3 only

So if either user logs in I need to be able to show their full name based on their AD entry and need to be able to check if they are part of security groups role1 role2 and/or role3.

I would post an example of my code but I have no idea where to start with getting this data so the only code I have thus far is a test block to print all the $_SERVER values onto the page for testing purposes.


图片转代码服务由CSDN问答提供 功能建议

我在PHP中编写了一个小应用程序,我需要检查给定用户是否分配了给定的角色 给他们。 我正在使用Azure App Service并启用了应用服务身份验证,以根据azure活动目录对用户进行身份验证。 作为应用程序的一部分,我需要获取用户的用户名,显示名称,以及他们是否是三个安全组中的一个或多个的成员,他们可以参与这些安全组来定义他们在应用程序中具有的访问级别。

我需要这样做,因为我无法在应用程序中管理角色,而是需要通过活动目录安全组进行管理。 我正在寻找一种原生于azure app服务的方法(如果可能的话,理想情况下不进行单独的LDAP查找)。 我知道如何从发送到应用程序的头数据中提取经过身份验证的用户名( HTTP_X_MS_CLIENT_PRINCIPAL_NAME )但是我不知道如何获取完整的显示名称以及如何检查用户是否具有特定的角色 分配给他们。 我已经输出了整个php $ _ SERVER 超级全局数组的副本,看看我在寻找的数据是否在那里,但我找不到它。 \ n


user2 @ domain。 com被分配角色role3 only

因此,如果任一用户登录,我需要能够根据他们的AD条目显示他们的全名,并且需要能够检查是否 它们是安全组 role1 role2 和/或 role3 的一部分。

我会发布一个示例 我的代码,但我不知道从哪里开始获取这些数据所以我到目前为止唯一的代码是一个测试块,将所有 $ _ SERVER 值打印到页面上以进行测试。


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

相关推荐 更多相似问题