我应该在 SaaS 应用程序中使用单个 Azure AD B2C 租户还是多个租户?
[英]Should I use a single Azure AD B2C tenant or multiple tenants in a SaaS app?
问题描述
I have a partner considering moving to AAD B2C for their SaaS app that is used by many corporate customers.
我有一个合作伙伴正在考虑为他们的许多企业客户使用的 SaaS 应用程序迁移到 AAD B2C。
They are debating whether to have one AAD B2C tenant that is used by all customers, or whether to have separate B2C tenants for each customer.他们正在争论是要有一个供所有客户使用的 AAD B2C 租户,还是要为每个客户提供单独的 B2C 租户。 What is the best practice here and why?这里的最佳实践是什么?为什么?
A related question is regarding environments (dev/test/QA/prod): should the partner implement a spearate AAD B2C tenant for each environment, or use one B2C tenant across the environments?一个相关的问题是关于环境 (dev/test/QA/prod):合作伙伴应该为每个环境实施单独的 AAD B2C 租户,还是跨环境使用一个 B2C 租户?
2 个解决方案
解决方案1
1 已采纳 2021-08-19 08:29:59
I would suggest using one Azure AD B2C tenant for all the customers, as maintaining a separate tenant for each customer would be difficult to manage and you won't be utilizing what B2C is meant for.我建议为所有客户使用一个 Azure AD B2C 租户,因为为每个客户维护一个单独的租户将难以管理,而且您不会利用 B2C 的用途。 When using one B2C tenant, you may consider collecting Company Name during user sign-ups, if you want to later segregate or find the users based on their organization.使用一个 B2C 租户时,如果您想稍后根据用户的组织隔离或查找用户,您可以考虑在用户注册期间收集公司名称。
You may also consider federating their corporate IAM solutions like ADFS/AzureAD/Okta etc. with the B2C tenant.您还可以考虑将他们的公司 IAM 解决方案(如 ADFS/AzureAD/Okta 等)与 B2C 租户联合起来。 If you choose to go with this option, you can use this custom policy sample to implement Home Realm Discovery, which will redirect the customers to their respective IDPs for authentication, based on the domain name in their email suffix.如果您选择带有此选项的 go,您可以使用此自定义策略示例来实施 Home Realm Discovery,这将根据客户 email 后缀中的域名将客户重定向到其各自的 IDP 进行身份验证。
For the Dev and Prod environments, choose to go with separate tenants because if same tenant is used, the backend directory will be same regardless of which environment users are signing-up/signining-in for.对于 Dev 和 Prod 环境,选择具有单独租户的 go,因为如果使用相同的租户,无论用户注册/登录哪个环境,后端目录都将相同。 Any testing or customization should not impact the prod directory.任何测试或定制都不应影响 prod 目录。 So, having different tenants for testing and production will be a safe choice.因此,拥有不同的测试和生产租户将是一个安全的选择。
解决方案2
0 2021-08-19 20:53:12
Have different tenants.有不同的租户。
This enforces separation and makes it easier to apply different conditional access policies, different IDP without having to jump through hoops, different MFA flows, different extension attributes etc.这加强了分离,并使其更容易应用不同的条件访问策略、不同的 IDP 而不必跳过箍、不同的 MFA 流、不同的扩展属性等。
It's much cleaner.它更干净。
If something goes wrong, you only lose one tenant.如果出现问题,您只会失去一名租户。
In terms of management, you can use DevOps .在管理方面,可以使用DevOps 。
Definitely, different Test, UAT tenants etc.当然,不同的测试、UAT 租户等。
Again, deploying faulty code to Test won't affect Production.同样,将错误代码部署到测试不会影响生产。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.