您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure Active Directory 应用程序库中列出你的应用程序List your application in the Azure Active Directory application gallery

重要

Microsoft 标识平台 (v2.0) 是 Azure Active Directory (Azure AD) 版开发人员平台 (v1.0) 的演变。Microsoft identity platform (v2.0) is an evolution of the Azure Active Directory (Azure AD) developer platform (v1.0). 开发人员可以通过它来生成应用程序,从而可以采用所有 Microsoft 标识登录,以及获取令牌来调用 Microsoft Graph 等 Microsoft API 或开发人员生成的 API。It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs such as Microsoft Graph or APIs that developers have built. 本内容适用于版本较旧的 Azure AD v1.0 终结点。This content is for the older, Azure AD v1.0 endpoint. 建议对新项目使用 v2.0 终结点。We recommend that you use the v2.0 endpoint for new projects. 有关详细信息,请参阅为什么要更新到 Microsoft 标识平台 (v2.0)?For more info, read Why update to Microsoft identity platform (v2.0)? 以及 Microsoft 标识平台限制as well as Microsoft identity platform limitations.

本文介绍如何在 Azure Active Directory (Azure AD)应用程序库中列出应用程序,如何实现单一登录(SSO)和管理列表。This article shows how to list an application in the Azure Active Directory (Azure AD) application gallery, implement single sign-on (SSO), and manage the listing.

  • 可以为客户提供尽可能最佳的单一登录体验。Customers find the best possible single sign-on experience.
  • 简化并最小化了应用程序的配置。Configuration of the application is simple and minimal.
  • 在库中快速搜索应用程序。A quick search finds your application in the gallery.
  • 免费、基本和高级 Azure AD 客户都可以使用此集成。Free, Basic, and Premium Azure AD customers can all use this integration.
  • 共同客户可以获得分步配置教程。Mutual customers get a step-by-step configuration tutorial.
  • 使用系统进行跨域标识管理(SCIM)的客户可以使用同一应用的预配。Customers who use the System for Cross-domain Identity Management (SCIM) can use provisioning for the same app.

先决条件Prerequisites

  • 对于联合应用程序(开放 ID 和 SAML/WS 进纸),应用程序必须支持 "软件即服务" (SaaS)模型,才能在 Azure AD 应用库中列出。For federated applications (Open ID and SAML/WS-Fed), the application must support the software-as-a-service (SaaS) model for getting listed in the Azure AD app gallery. 企业库应用程序必须支持多个客户配置,而不是任何特定客户。The enterprise gallery applications must support multiple customer configurations and not any specific customer.
  • 对于 Open ID Connect,应用程序必须是 multitenanted 的,并且必须正确地为应用程序实现Azure AD 许可框架For Open ID Connect, the application must be multitenanted and the Azure AD consent framework must be properly implemented for the application. 用户可以将登录请求发送到公共终结点,以便任何客户都可以向应用程序提供许可。The user can send the sign-in request to a common endpoint so that any customer can provide consent to the application. 你可以根据在令牌中收到的租户 ID 和用户 UPN 来控制用户访问。You can control user access based on the tenant ID and the user's UPN received in the token.
  • 对于 SAML 2.0/WS 馈送,应用程序必须能够在 SP 或 IDP 模式下执行 SAML/WS-FEDERATION SSO 集成。For SAML 2.0/WS-Fed, your application must have the capability to do the SAML/WS-Fed SSO integration in SP or IDP mode. 提交请求之前,请确保此功能正常工作。Make sure this capability is working correctly before you submit the request.
  • 对于密码 SSO,请确保你的应用程序支持窗体身份验证,以便可以进行密码保险存储以使单一登录能够按预期方式工作。For password SSO, make sure that your application supports form authentication so that password vaulting can be done to get single sign-on to work as expected.
  • 你需要一个永久帐户来测试至少注册了两个用户。You need a permanent account for testing with at least two users registered.

如何为开发人员获取 Azure AD?How to get Azure AD for developers?

你可以获取免费的测试帐户,其中包含所有高级 Azure AD 功能-90 天免费版,只要开发人员使用它,就可以扩展:https://docs.microsoft.com/office/developer-program/office-365-developer-programYou can get a free test account with all the premium Azure AD features - 90 days free and can get extended as long as you do dev work with it: https://docs.microsoft.com/office/developer-program/office-365-developer-program

在门户中提交请求Submit the request in the portal

在测试应用程序集成是否可用于 Azure AD 后,请在Microsoft 应用程序网络门户中提交应用程序请求。After you've tested that your application integration works with Azure AD, submit your application request in the Microsoft Application Network portal.

如果在登录后出现以下页面,请联系AZURE AD SSO 集成团队If the following page appears after you sign in, contact the Azure AD SSO Integration Team. 提供要用于提交请求的电子邮件帐户。Provide the email account that you want to use for submitting the request. 诸如这样的业务电子邮件地址 name@yourbusiness.com 是首选的。A business email address such as name@yourbusiness.com is preferred. Azure AD 团队将在 Microsoft 应用程序网络门户中添加该帐户。The Azure AD team will add the account in the Microsoft Application Network portal.

SharePoint 门户上的访问请求消息

添加帐户后,你可以登录到 Microsoft 应用程序网络门户。After the account is added, you can sign in to the Microsoft Application Network portal.

如果在登录后出现以下页,请在文本框中提供需要访问的业务理由。If the following page appears after you sign in, provide a business justification for needing access in the text box. 然后选择 "请求访问权限"。Then select Request Access.

SharePoint 门户上的业务理由框

我们的团队将审核详细信息并相应地为你提供访问权限。Our team reviews the details and gives you access accordingly. 批准请求后,可以通过在主页上选择 "提交请求(ISV) " 磁贴来登录到门户并提交请求。After your request is approved, you can sign in to the portal and submit the request by selecting the Submit Request (ISV) tile on the home page.

主页上的提交请求(ISV)磁贴

登录到门户的问题Issues on logging into portal

如果在登录时看到此错误,请参阅此问题的详细信息,这是解决该问题的方法。If you are seeing this error while logging in then here are the detail on the issue and this is how you can fix it.

  • 如果登录被阻止,如下所示:If your sign-in was blocked as shown below:

    解决库中的应用程序问题

发生了什么事情:What's happening:

来宾用户与家庭租户联合,这也是 Azure AD。The guest user is federated to a home tenant which is also an Azure AD. 来宾用户处于高风险状态。The guest user is at High risk. Microsoft 不允许高风险用户访问其资源。Microsoft doesn't allow High risk users to access its resources. 所有高风险用户(员工或来宾/供应商)必须修正/关闭他们访问 Microsoft 资源的风险。All High risk users (employees or guests / vendors) must remediate / close their risk to access Microsoft resources. 对于来宾用户,此用户面临的风险来自于 home 租户,而策略来自资源租户(在本例中为 Microsoft)。For guest users, this user risk comes from the home tenant and the policy comes from the resource tenant (Microsoft in this case).

安全解决方案:Secure solutions:

  • MFA 注册的来宾用户修正其自己的用户风险。MFA registered guest users remediate their own user risk. 这可以由来宾用户执行安全的密码更改或重置( https://aka.ms/sspr) 在其主租户上,这需要 MFA 和 SSPR)执行。This can be done by the guest user performing a secured password change or reset (https://aka.ms/sspr) at their home tenant (this needs MFA and SSPR at the home tenant). 必须在 Azure AD 而不是本地上启动安全密码更改或重置。The secured password change or reset must be initiated on Azure AD and not on-prem.

  • 来宾用户的管理员可以纠正他们的风险。Guest users have their admins remediate their risk. 在这种情况下,管理员将执行密码重置(临时密码生成)。In this case, the admin will perform a password reset (temporary password generation). 这不需要 Identity Protection。This does not need Identity Protection. 来宾用户的管理员可以前往 https://aka.ms/RiskyUsers ,并单击 "重置密码"。The guest user's admin can go to https://aka.ms/RiskyUsers and click on 'Reset password'.

  • 来宾用户的管理员需要关闭/消除其风险。Guest users have their admins close / dismiss their risk. 同样,这不需要 Identity Protection。Again, this does not need Identity Protection. 管理员可以前往 https://aka.ms/RiskyUsers ,并单击 "消除用户风险"。The admin can go to https://aka.ms/RiskyUsers and click on 'Dismiss user risk'. 但是,管理员必须执行 "截止努力",以确保在关闭用户风险之前,这是误报风险评估。However, the admin must do the due diligence to ensure this was a false positive risk assessment before closing the user risk. 否则,他们会通过抑制风险评估而不进行调查,使其和 Microsoft 的资源面临风险。Otherwise, they are putting their and Microsoft's resources at risk by suppressing a risk assessment without investigation.

备注

如果访问有任何问题,请联系AZURE AD SSO 集成团队If you have any issues with access, contact the Azure AD SSO Integration Team.

使用联合身份验证协议实现 SSOImplement SSO by using the federation protocol

若要将某个应用程序列在 Azure AD 应用库中,首先需要实现 Azure AD 支持的以下联合身份验证协议之一。To list an application in the Azure AD app gallery, you first need to implement one of the following federation protocols supported by Azure AD. 还需要同意 Azure AD 应用程序库的条款和条件。You also need to agree to the Azure AD application gallery terms and conditions. 阅读本网站上 Azure AD 应用程序库的条款和条件。Read the terms and conditions of the Azure AD application gallery on this website.

  • OpenID connect:若要通过使用 Open ID Connect 协议将应用程序与 Azure AD 进行集成,请按照开发人员的说明进行操作。OpenID Connect: To integrate your application with Azure AD by using the Open ID Connect protocol, follow the developers' instructions.

    在库中列出 OpenID Connect 应用程序

    • 如果要使用 OpenID Connect 将应用程序添加到库中,请选择 " Openid connect & OAuth 2.0 ",如下所示。If you want to add your application to list in the gallery by using OpenID Connect, select OpenID Connect & OAuth 2.0 as shown.
    • 如果访问有任何问题,请联系AZURE AD SSO 集成团队If you have any issues with access, contact the Azure AD SSO Integration Team.
  • SAML 2.0ws-addressing:如果应用支持 SAML 2.0,则可以按照说明添加自定义应用程序,将其与 Azure AD 租户直接集成。SAML 2.0 or WS-Fed: If your app supports SAML 2.0, you can integrate it directly with an Azure AD tenant by following the instructions to add a custom application.

    在库中列出 SAML 2.0 或 WS 进纸应用程序

    • 如果要使用SAML 2.0ws-addressing将应用程序添加到库中,请选择 " saml 2.0/ws- 已显示"。If you want to add your application to list in the gallery by using SAML 2.0 or WS-Fed, select SAML 2.0/WS-Fed as shown.

    • 如果访问有任何问题,请联系AZURE AD SSO 集成团队If you have any issues with access, contact the Azure AD SSO Integration Team.

使用密码 SSO 实现 SSOImplement SSO by using the password SSO

创建具有 HTML 登录页的 Web 应用程序来配置基于密码的单一登录Create a web application that has an HTML sign-in page to configure password-based single sign-on. 基于密码的 SSO 也称为密码保管,可用于管理不支持标识联合的 Web 应用程序中的用户访问权限和密码。Password-based SSO, also referred to as password vaulting, enables you to manage user access and passwords to web applications that don't support identity federation. 在多个用户需要共享单个帐户(例如,组织的社交媒体应用帐户)的情况下,此方法也非常有用。It's also useful for scenarios in which several users need to share a single account, such as to your organization's social media app accounts.

在库中列出密码 SSO 应用程序

  • 如果要使用密码 SSO 将应用程序添加到库中,请选择 "密码 sso ",如所示。If you want to add your application to list in the gallery by using password SSO, select Password SSO as shown.
  • 如果访问有任何问题,请联系AZURE AD SSO 集成团队If you have any issues with access, contact the Azure AD SSO Integration Team.

用户预配请求Request for user provisioning

按照下图所示的过程请求用户预配。Follow the process shown in the following image to request user provisioning.

用户预配请求

更新或删除现有列表Update or remove an existing listing

若要更新或删除 Azure AD 应用库中的现有应用程序,首先需要在应用程序网络门户中提交请求。To update or remove an existing application in the Azure AD app gallery, you first need to submit the request in the Application Network portal. 如果你有 Office 365 帐户,请使用该帐户登录到此门户。If you have an Office 365 account, use that to sign in to this portal. 如果没有,请使用您的 Microsoft 帐户(例如 Outlook 或 Hotmail)登录。If not, use your Microsoft account, such as Outlook or Hotmail, to sign in.

  • 选择相应的选项,如下图所示。Select the appropriate option as shown in the following image.

    在库中列出 SAML 应用程序

    • 若要更新现有应用程序,请根据您的要求选择适当的选项。To update an existing application, select the appropriate option as per your requirement.
    • 若要从 Azure AD 应用库中删除现有应用程序,请从库中选择 "删除我的应用程序列表"。To remove an existing application from the Azure AD app gallery, select Remove my application listing from the gallery.
    • 如果访问有任何问题,请联系AZURE AD SSO 集成团队If you have any issues with access, contact the Azure AD SSO Integration Team.

列出客户的请求List requests by customers

客户可以通过选择客户的应用请求 > 提交新请求来提交列出应用程序的请求。Customers can submit a request to list an application by selecting App requests by Customers > Submit new request.

显示客户请求的应用磁贴

下面是客户请求的应用程序的流程。Here's the flow of customer-requested applications.

显示客户请求的应用流

时间线Timelines

在库中列出 SAML 2.0 或 WS 进纸应用程序的过程的时间线是7到10个工作日内。The timeline for the process of listing a SAML 2.0 or WS-Fed application in the gallery is 7 to 10 business days.

用于在库中列出 SAML 应用程序的时间线

在库中列出 OpenID Connect 应用程序的过程的时间线是2到5个工作日。The timeline for the process of listing an OpenID Connect application in the gallery is 2 to 5 business days.

用于在库中列出 OpenID Connect 应用程序的时间线

升级Escalations

对于任何升级,请将电子邮件发送到Azure AD 的 SSO 集成团队 SaaSApplicationIntegrations@service.microsoft.com ,并尽快做出回复。For any escalations, send email to the Azure AD SSO Integration Team at SaaSApplicationIntegrations@service.microsoft.com, and we'll respond as soon as possible.