简体繁体 English

使用Azure Active Directory的自定义SSO

[英]Custom SSO With Azure Active Directory

原文 2015-02-10 01:31:22 7 1 azure/ azure-active-directory

We currently use Office 365 and we're looking to expand the use of Azure Active Directory to provide SSO to 3rd party web apps. 当前，我们使用Office 365，并且正在寻求扩大Azure Active Directory的使用范围，以向第三方Web应用程序提供SSO。 Some of our required apps are not currently supported in the app gallery so I have been testing creating an SSO setup for one of these apps from scratch. 应用程序库中当前不支持某些必需的应用程序，因此我一直在测试从头开始为其中一个应用程序创建SSO设置。 Please note this is not my own app that I have developed in-house, but a commercial app that supports SAML. 请注意，这不是我自己开发的应用程序，而是支持SAML的商业应用程序。 Is there any guidance on setting this up that doesn't have a developer focus? 有没有针对开发人员的设置指导？ Is what I'm looking for even possible or is this really intended for LOB apps only? 我正在寻找什至是可能的东西，还是真的仅用于LOB应用程序？ Thanks! 谢谢！

I don't have a background in SAML or web development, so please be kind ;) 我没有SAML或Web开发的背景，所以请客气;）

1 个解决方案

Larry, we love to get feedback on this - tell us what apps you're using and we might be able to prioritize their integration higher. 拉里（Larry），我们很乐意就此获得反馈-告诉我们您正在使用哪些应用程序，我们也许可以优先考虑它们的集成。 That said, if you wish to try integrating these apps manually, depending on whether AzureAD supports the claims that these applications need, it may be possible. 就是说，如果您希望尝试手动集成这些应用程序，则取决于AzureAD是否支持这些应用程序所需的声明，这可能是可行的。 Here's your best bet: 这是您最好的选择：

Register a new application in your Azure AD representing the application (in Applications Tab in the Directory in the Azure Management Portal). 在您的Azure AD中注册一个代表该应用程序的新应用程序（在Azure管理门户目录的“应用程序”选项卡中）。 On this application registration, specify the 'Reply URL' as the URL on which the application expects the token to be posted (called AssertionConsumerServiceURL in SAML-P). 在此应用程序注册上，将“答复URL”指定为应用程序期望在其上发布令牌的URL（在SAML-P中称为AssertionConsumerServiceURL）。 Also, on this application registration, specify the 'App ID URI' as the audience string that the application expects in the token (called Audience in SAML-P) 另外，在此应用程序注册上，将“应用程序ID URI”指定为应用程序在令牌中期望的受众字符串（在SAML-P中称为“受众”）
In the application register your Azure AD as the identity provider. 在应用程序中，将您的Azure AD注册为身份提供者。 Most applications require only the token signing certificate to be specified. 大多数应用程序仅需要指定令牌签名证书。 Get the certificate from your Azure AD metadata URL ( https://login.windows.net/ {your Azure AD tenant id or domain name}/federationmetadata/2007-06/federationmetadata.xml) and register it in the app. 从您的Azure AD元数据URL（ https://login.windows.net/ {您的Azure AD租户ID或域名} /federationmetadata/2007-06/federationmetadata.xml）中获取证书，然后在应用程序中注册它。 Some applications also require the issuer value of the identity provider to be registered. 某些应用程序还要求注册身份提供者的发行者值。 Your AzureAD will issue tokens with Issuer value of ' https://sts.windows.net/ {your Azure AD tenant id}/' (eg https://sts.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/ ). 您的AzureAD将发行具有' https://sts.windows.net/ {您的Azure AD租户ID} /'的Issuer值的令牌（例如https://sts.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0 / ）。 If your application supports SP initiated SSO - provide the IdP login URL ( https://login.windows.net/ {your Azure AD tenant id or domain name}/saml2) to the application to redirect the user to (when the user clicks sign-in). 如果您的应用程序支持SP发起的SSO，请向应用程序提供IdP登录URL（ https://login.windows.net/ {您的Azure AD租户ID或域名} / saml2），以将用户重定向到（单击时）登入）。
Finally, if your application expects IdP initiated SSO, construct a canned SAML AuthNRequest and save it in a URL - when your organization's users will click on this URL (canned SAML AuthNRequest) - they will get redirected to Azure AD where they will sign-in and then the token will be posted to the application's AssertionConsumerServiceURL - resulting in the user getting signed in. You can use the following tool to create a SAML AuthNRequest: https://www.authnauthz.com/samlscrewdriver/authnrequest 最后，如果您的应用程序希望IdP启动SSO，则构造一个罐头SAML AuthNRequest并将其保存在URL中-当您的组织的用户单击此URL（罐头SAML AuthNRequest）时-他们将被重定向到他们将登录的Azure AD然后将令牌发布到应用程序的AssertionConsumerServiceURL-导致用户登录。您可以使用以下工具创建SAML AuthNRequest： https ://www.authnauthz.com/samlscrewdriver/authnrequest

Hope this helps. 希望这可以帮助。 Again - let me know what applications your want to integrate to - we might be able to help more. 再说一遍-让我知道您要集成到哪些应用程序中-我们也许可以提供更多帮助。