您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

标识提供者Identity providers

适用于: SDK v4APPLIES TO: SDK v4

标识提供者对用户或客户端标识进行身份验证,然后颁发可使用的安全令牌。An identity provider authenticates user or client identities and issues consumable security tokens. 它以服务的形式提供用户身份验证。It provides user authentication as a service.

客户端应用程序(如 Web 应用程序)将身份验证委托给受信任的标识提供者。Client applications, such as web applications, delegate authentication to a trusted identity provider. 此类客户端应用程序称为联合身份验证应用程序,即它们使用联合标识。Such client applications are said to be federated, that is, they use federated identity.

使用受信任的标识提供者可以执行以下操作:Using a trusted identity provider:

  • 启用单一登录 (SSO) 功能,使应用程序能够访问多个受保护的资源。Enables single sign-on (SSO) features, allowing an application to access multiple secured resources.
  • 促进云计算资源和用户之间的连接,降低用户重新进行身份验证的必要性。Facilitates connections between cloud computing resources and users, decreasing the need for users to re-authenticate.

单一登录Single sign-on

单一登录是指这样一个身份验证过程:用户使用一组凭据登录到系统一次以后,就可以访问多个应用程序或服务。Single sign-on refers to an authentication process that permits a user to log on to a system once with a single set of credentials to access multiple applications or services.

用户使用单个 ID 和密码登录以后,就可以访问多个相关软件系统中的任何一个。A user logs in with a single ID and password to gain access to any of several related software systems. 有关详细信息,请参阅单一登录For more information, see Single sign on.

许多标识提供者支持注销操作,即:撤销用户令牌并终止其对关联的应用程序和服务的访问权限。Many identity providers support a sign-out operation that revokes the user token and terminates access to to the associated applications and services.

重要

SSO 可减少用户输入系统所需凭据的次数,通过这种方式提高可用性。SSO enhances usability by reducing the number of times a user must enter credentials. 它还通过减少潜在的受攻击面来提供更好的安全性。It also provides better security by decreasing the potential attack surface.

Azure Active Directory 标识提供者Azure Active Directory identity provider

Azure Active Directory (AD) 是 Microsoft Azure 中的标识服务,提供标识管理和访问控制功能。Azure Active Directory (AD) is the identity service in Microsoft Azure that provides identity management and access control capabilities. 它用于通过 OAuth2.0 之类的行业标准协议安全地登录用户。It allows you to securely sign in users using industry standard protocols like OAuth2.0.

可以从两个具有不同设置的 AD 标识提供者实现中进行选择,如下所示。You can choose from two AD identity provider implementations which have different settings as shown below.

备注

在 Azure 机器人注册应用程序中配置“OAuth 连接设置” 时,请使用此处所述的设置。You use the settings described here when configuring the OAuth Connection Settings in the Azure bot registration application. 请参阅向机器人添加身份验证See Add authentication to a bot.

Azure AD v1Azure AD v1

使用所示的设置来配置 Azure AD 开发人员平台 (v1.0) ,也称为 Azure AD v1 终结点,该终结点允许构建使用 Microsoft 工作或学校帐户安全登录用户的应用。You use the settings shown to configure the Azure AD developer platform (v1.0), also known as Azure AD v1 endpoint, which allows to build apps that securely sign in users with a Microsoft work or school account. 有关详细信息,请参阅面向开发人员的 Azure Active Directory (v1.0) 概述For more information, see Azure Active Directory for developers (v1.0) overview.

属性Property 说明Description Value
名称Name 连接的名称The name of your connection <连接的名称><Your name for the connection>
服务提供商Service Provider Azure AD 标识提供者Azure AD Identity provider Azure Active Directory
客户端 IDClient ID Azure AD 标识提供者应用 IDAzure AD identity provider app ID <AAD 提供者应用 ID><AAD provider app ID>
客户端机密Client secret Azure AD 标识提供者应用机密Azure AD identity provider app secret <AAD 提供者应用机密><AAD provider app secret>
授权类型Grant Type authorization_code
登录 URLLogin URL https://login.microsoftonline.com
租户 IDTenant ID <目录(租户)ID> 或 common<directory (tenant) ID> or common. 查看注释。See note.
资源 URLResource URL https://graph.microsoft.com/
作用域Scopes
令牌交换 URLToken Exchange URL 用于 Azure AD v2 中的 SSOUsed for SSO in Azure AD v2

注意Note

  • 如果已选择以下项之一,请输入针对 AAD 标识提供者应用记录的租户 ID :Enter the tenant ID you recorded for the AAD identity provider app, if you selected one of the following:

    • 仅此组织目录中的帐户(仅 Microsoft - 单租户) Accounts in this organizational directory only (Microsoft only - Single tenant)

    • 任何组织目录中的帐户(Microsoft AAD 目录 - 多租户) Accounts in any organizational directory(Microsoft AAD directory - Multi tenant)

  • 如果选择了“任何组织目录中的帐户(任何 AAD 目录 - 多租户和个人 Microsoft 帐户,例如 Skype、Xbox、Outlook.com)” ,请输入 commonEnter common if you selected Accounts in any organizational directory (Any AAD directory - Multi tenant and personal Microsoft accounts e.g. Skype, Xbox, Outlook.com). 否则,AAD 标识提供者应用会通过租户验证谁的 ID 已选中,并排除个人 MS 帐户。Otherwise, the AAD identity provider app will verify through the tenant whose ID was selected and exclude personal MS accounts.

另请参阅See also

其他标识提供者Other identity providers

Azure 支持多个标识提供者。Azure supports several identity providers. 可以通过运行以下 Azure 控制台命令来获取完整列表以及相关的详细信息:You can get a complete list, along with the related details, by running this Azure console command:

az bot authsetting list-providers

为机器人注册应用定义 OAuth 连接设置时,也可在 Azure 门户中查看这些提供者的列表。You can also see the list of these providers in the Azure portal, when you define the OAuth connection settings for a bot registration app.

azure 标识提供者

OAuth 通用提供者OAuth generic providers

Azure 支持通用 OAuth2,方便你使用自己的标识提供者。Azure supports generic OAuth2 which allow you to use your own identity providers.

可以从两个具有不同设置的通用标识提供者实现中进行选择,如下所示。You can choose from two generic identity provider implementations which have different settings as shown below.

备注

在 Azure 机器人注册应用程序中配置“OAuth 连接设置” 时,请使用此处所述的设置。You use the settings described here when configuring the OAuth Connection Settings in the Azure bot registration application.

通用 OAuth 2Generic OAuth 2

使用此提供者来配置任何与 Azure AD 提供者(特别是 AD v2)具有相似预期的通用 OAuth2 标识提供者。Use this provider to configure any generic OAuth2 identity provider that has similar expectations as Azure AD provider, particularly AD v2. 属性数目有限,因为查询字符串和请求正文有效负载是固定的。You have a limited number of properties because the query strings and request body payloads are fixed. 对于输入的值,可以了解如何将不同 URI、查询字符串和正文的参数置于大括号 {} 中。For the values you enter, you can see how parameters to the various URls, query strings, and bodies are in curly braces {}.

属性Property 说明Description Value
名称Name 连接的名称The name of your connection <连接的名称><Your name for the connection>
服务提供商Service Provider 标识提供者Identity provider 从下拉列表中选择“常规 Oauth 2” From the drop-down list, select Generic Oauth 2
客户端 IDClient ID 标识提供者应用 IDIdentity provider app ID <提供者 ID><provider ID>
客户端机密Client secret 标识提供者应用机密Identity provider app secret <提供者机密><provider secret>
授权 URLAuthorization URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize
授权 URL 查询字符串 Authorization URL Query String ?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}
令牌 URLToken URL https://login.microsoftonline.com/common/oauth2/v2.0/token
令牌正文 Token Body 要发送的用于令牌交换的正文Body to send for the token exchange code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
刷新 URLRefresh URL https://login.microsoftonline.com/common/oauth2/v2.0/token
刷新正文模板Refresh Body Template 要发送的带有令牌刷新的正文Body to send with the token refresh refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
作用域Scopes 之前向 Azure AD 身份验证应用授予的 API 权限的逗号分隔列表Comma separated list of the API permissions you granted earlier to the Azure AD authentication app 值,例如 openid profile Mail.Read Mail.Send User.Read User.ReadBasic.AllValues such as openid profile Mail.Read Mail.Send User.Read User.ReadBasic.All