为 SAML 强制 Azure AD 登录提示
[英]Forcing Azure AD login prompt for SAML
问题描述
I am using the Google Cloud connector application in Azure so that my organisation can login to their auto provisioned G Suite accounts with their Azure AD account.
我在 Azure 中使用 Google Cloud 连接器应用程序,以便我的组织可以使用其 Azure AD 帐户登录其自动配置的 G Suite 帐户。
An inconvenience of this setup is that it is now basically impossible to sign in to multiple G Suite accounts because there's this login loop - whenever you try to sign in to a different Azure AD account on the G Suite login page it automatically signs you in with the currently logged in AAD account and does not prompt you if you want to use another account etc.此设置的一个不便之处在于,现在基本上不可能登录多个 G Suite 帐户,因为存在此登录循环 - 每当您尝试在 G Suite 登录页面上登录不同的 Azure AD 帐户时,它会自动为您登录当前登录的 AAD 帐户并且不会提示您是否要使用其他帐户等。
Demo of what this sort of behaviour looks like - https://www.awesomescreenshot.com/video/2388498?key=4e3527ba1445fdd0c28fefebeca8ef6a (not my video but exact same issue)这种行为的演示 - https://www.awesomescreenshot.com/video/2388498?key=4e3527ba1445fdd0c28fefebeca8ef6a (不是我的视频,但完全相同的问题)
Is there a way to prompt the AAD account selection prompt or force reauthentication somehow?有没有办法提示 AAD 帐户选择提示或以某种方式强制重新验证? Supplying a login hint would work but G Suite doesn't autopopulate that when it sends the SAML request and using prompt=force doesn't seem to be working either.提供登录提示会起作用,但 G Suite 在发送 SAML 请求时不会自动填充它,并且使用 prompt=force 似乎也不起作用。
1 个解决方案
解决方案1
0 2021-08-25 12:23:37
• Your issue is a result of the access token being cached while logging in to the Google workspace using Azure AD identities as they use MSAL for authentication purposes. • 您的问题是由于访问令牌在使用 Azure AD 身份登录 Google 工作区时被缓存,因为他们使用 MSAL 进行身份验证。 Thus, when login is successful for a user account, the access token is cached in the browser storage.因此,当用户帐户登录成功时,访问令牌将缓存在浏览器存储中。
• As the access token is cached in the browser storage, it first calls the 'AcquireTokenSilent' method to verify if an acceptable token is in the cache or not due to which when a new tab or window is opened, the same token is used for logging in to the platform and thus, the same account is logged in to the platform even though you enter the credentials for other account. • 由于访问令牌缓存在浏览器存储中,它首先调用“AcquireTokenSilent”方法来验证可接受的令牌是否在缓存中,因此当打开新选项卡或 window 时,相同的令牌用于登录到平台,因此,即使您输入其他帐户的凭据,同一帐户也会登录到平台。
• Please find the below diagram for detailed token authorization flow: - • 请查看下图了解详细的令牌授权流程:-
• You can try clearing the cache and cookies of the browser when logging in to the Google workspace with another account. • 您可以尝试在使用其他帐号登录Google工作空间时清除浏览器的缓存和cookies。 Also, you can open a window in incognito mode to login to the Google workspace with another account simultaneously as the access token will be generated afresh for that account login in the browser storage since attempting to silently get a token will acquire another token with more scopes based on a token in the cache.此外,您可以在隐身模式下打开 window 以同时使用另一个帐户登录 Google 工作区,因为访问令牌将为浏览器存储中的该帐户登录重新生成,因为尝试静默获取令牌将获得另一个具有更多范围的令牌基于缓存中的令牌。
• Thus, please refer the below links for more information on this scenario: - • 因此,请参阅以下链接以获取有关此场景的更多信息:-
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal.net-clear-token-cache https://learn.microsoft.com/en-us/azure/active-directory/develop/msal.net-clear-token-cache
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.