数千个应用,一个标识Thousands of apps, one identity

通过为可访问云和本地资源的服务型软件 (SaaS) 应用程序的用户提供通用标识,Azure Active Directory (Azure AD) 使用户的工作效率更高。Azure Active Directory (Azure AD) makes your users more productive by providing a common identity for users of software as a service (SaaS) applications accessing both cloud and on-premises resources.

Azure AD 与当前许多受欢迎的 SaaS 应用程序集成,如 Box、Twitter、ServiceNow、DocuSign 和 Workday 等。Azure AD integrates with many of today’s popular SaaS applications such as, Box, Twitter, ServiceNow, DocuSign, Workday, and many more. 它支持单一登录 (SSO) 身份验证、标识,以及通过任何设备以安全可靠的方式对应用程序进行安全访问管理。It supports single sign-on (SSO) authentication, identity, and secures access management to applications from any device in a secured and reliable way.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 是一个不仅从设备自身本机保护公司数据,还采用身份、设备、应用和数据这四个保护层提供更多保护的综合云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that natively protects corporate data on the device itself and beyond with four layers of protection across identities, devices, apps, and data. EMS 可帮助解决移动优先、云优先世界中的一个重大难题 - 提供适用于行业中任何基于 Web 的应用的单一标识:EMS helps you solve one of the key challenges in the mobile-first, cloud-first world – provide a single identity that works across any web-based apps in the industry:

  • 连接云的无缝身份验证体验Cloud-connected seamless authentication experience
  • 单一登录到 1000 个预先集成的应用或自己的应用Single sign-on to 1000 pre-integrated apps or your own apps
  • 对本地应用进行安全的远程访问Secure remote access to on-premises apps
  • 支持“提起并移动”到云Support to lift-and-shift to the cloud

Azure AD 是云标识和访问管理解决方案,它可与传统工具上的现有投资协作,使组织能够以安全高效的方式随处访问所需的任何内容。Azure AD is a cloud identity and access management solution that can provide organizations with access to everything they need from everywhere – in a secure and productive way – in collaboration with existing investments on traditional tools.

访问单一登录应用程序Access to single sign-on applications

在单一登录之前,IT 管理员必须管理组织拥有的所有不同应用程序的用户和密码,以支持:Before single sign-on, IT admins had to manage different users and passwords for all different applications that organizations had to support:

  • 用户在使用的每个应用中输入用户名和密码Users enter a username and password into each app they use
  • 用户管理过多密码Users manage too many passwords
  • 密码重用很常见Password re-use is common
  • 撤消访问很困难Revoking access is very difficult

根据最新调查,63% 的已确认的数据破坏与密码强度弱、使用默认密码或密码被盗相关。According to recent research, 63% of confirmed data breaches involved weak, default, or stolen passwords.

单一登录使用户只需使用单个用户帐户登录一次,就能访问进行业务所需的全部应用程序和资源。Single sign-on lets users access all the applications and resources they need to do business by signing in only once using a single user account. 登录之后,用户可以访问全部所需的应用程序,而无需再次进行身份验证(例如键入密码)。Once signed in, users can access all the applications they need without being required to authenticate (e.g. type a password) a second time.

Azure AD 支持三种单一登录身份验证:Azure AD supports three types of single sign-on authentication:

  • Microsoft Azure AD 单一登录: 此选项使用联合登录,允许用户使用 Azure AD 的用户帐户信息自动登录到第三方应用程序,例如 Salesforce。Microsoft Azure AD Single Sign-on: This option uses federated sign on to let users automatically sign in to the third-party applications, such as Salesforce, using the user account information from Azure AD.
  • 密码单一登录: 此选项使用户能够使用第三方用户帐户信息通过 Azure AD 自动登录到第三方 SaaS 应用程序。Password Single Sign-On: This option enables users to be automatically signed in to the third-party SaaS application by Azure AD using the third-party user account information.
  • 现有单一登录: 此选项支持使用 Active Directory 联合身份验证服务 (ADFS) 或其他第三方单一登录提供程序单一登录到第三方 SaaS 公司。Existing Single Sign-on: This option supports single sign-on to third-party SaaS companies using Active Directory Federation Services (ADFS), or another third-party single sign-on provider.

单一登录的工作原理How single sign-on works

Azure AD 支持使用支持任何以下标准协议的应用进行单一登录:Azure AD supports single sign-on with apps that support any of these standard protocols:

  • SAML 2.0SAML 2.0
  • OAuth 2.0 / OpenID ConnectOAuth 2.0 / OpenID Connect
  • WS 联合身份验证WS-Federation

一个应用程序配置为将 Azure AD 用作标识提供程序。An application gets configured to use Azure AD as its identity provider. 配置后,应用程序不再需要直接输入用户名/密码,而是重定向到标识提供程序进行身份验证:Once configured, the app no longer requires direct username/password input, and instead redirects to the identity provider for authentication:

图示:Azure AD 和不同应用程序之间建立的信任关系。

是否仍需要 Azure Active Directory 联合身份验证服务 (ADFS)?Do I still need Azure Active Directory Federation Services (ADFS)?

是。Yes. ADFS 连接到 Azure AD 使用户可从加入域的计算机上进行无缝单一登录:One ADFS connection to Azure AD gives you seamless single sign-on from domain joined machines:

  • 用户不会看到任何基于 Web 的登录页Users see no web-based sign-in page
  • 单独的应用程序信任通过 Azure AD 进行管理Individual application trusts are managed in Azure AD

图示:Azure Active Directory 联合身份验证服务如何连接到 Azure AD 以提供到多个应用程序的无缝单一登录。

应用不支持联合单一登录怎么办?What if an app doesn’t support federated single sign-on?

对于不支持 SAML/OpenID 而仅支持在 Web 窗体中输入用户名和密码的应用来说,基于密码的 SSO 是最佳解决方案。Password-Based SSO is the best solution for apps that don’t support SAML/OpenID and only support entering usernames and passwords in a web form.

  • 启用将在 Azure AD 中定义并存储的特定于应用程序的凭据集Enables application-specific sets of credentials to be defined and stored in Azure AD
  • 可向用户或组分配凭据以实现共享访问Credentials can be assigned to users or groups for shared access

用户帐户设置User account provisioning

用户帐户设置是指在应用程序的本地用户配置文件存储中创建、更新和/或禁用用户帐户记录的操作。User account provisioning is the act of creating, updating, and/or disabling user account records in an application’s local user profile store. 大多数 SaaS 应用在其自己的本地用户配置文件存储中存储用户的角色和权限。Most SaaS apps store the user’s role and permissions in their own local user profile store.

Azure AD 配置服务连接到按应用提供的 soap/rest 用户管理 API,可以添加、更新和禁用用户帐户。Azure AD provisioning service connects to a soap/rest user management API provided on a per app basis, which adds, updates, and disables user accounts. 它支持组同步,还可将配置文件/角色从应用导入到 Azure AD。It supports group syncing, and profiles/roles can also be imported from the app into Azure AD.

图示:Azure AD 配置服务如何连接到 soap/rest 用户管理 API。

最终用户体验The end-user experience

应用程序访问面板是跨设备和跨浏览器的门户,可通过 iOS、Android、Mac 和 Windows 进行访问。The Applications Access Panel is a cross-device and cross-browser portal, accessible using iOS, Android, Mac, and Windows. 若要访问“访问面板”,用户可向 Azure AD 进行身份验证,然后会看到自己具有访问权限的应用程序列表,只需在其中单击一下便可启动相应的应用。To reach the Access Panel, users authenticate against Azure AD once, then see the list of Applications they have access to, and can launch the app with just a click from there. 如果管理员已针对 SSO 配置应用程序,用户无需重新进行身份验证便可访问该应用程序:单一登录将自动处理身份验证。If the application was configured for SSO by the administrator, the users don’t need to re-authenticate to access the application: single sign-on will take care of the authentication automatically.

可引入自己的应用Bring your own apps

Azure AD 应用程序库包含成千上万款可添加到组织的应用,但如果找不到第三方应用程序,仍可将该应用添加为自定义应用,以供组织使用。Azure AD application gallery features thousands of applications that you can add to your organization, but if you cannot find a third-party application, you can add still add it as a custom app for your organization to use.

用户可以载入任何基于 Web 并具有基于用户名和密码的身份验证机制的应用程序,无需考虑其是否在 Azure 应用程序库中列出。You can onboard just about any web-based application that has a user name and password based authentication mechanism, whether they are listed in the Azure application gallery or not.

屏幕截图,显示如何使用 Azure AD 应用程序库为组织添加应用程序。

对本地应用进行安全的远程访问Secure remote access to on-premises apps

Azure AD 应用程序代理提供用于本地托管的 Web 应用程序的单一登录 (SSO) 和安全远程访问。Azure AD Application Proxy provides single sign-on (SSO) and secure remote access for web applications hosted on-premises. 其中包括 SharePoint 站点、Outlook Web Access 或任何其他 LOB Web 应用程序。This can include SharePoint sites, Outlook Web Access, or any other LOB web applications you have. 这些本地 Web 应用程序与 O365 所使用的标识和控制平台 Azure AD 集成。These on-premises web applications are integrated with Azure AD, the same identity and control platform that is used by O365.

然后最终用户便可以访问本地应用程序(与访问 O365 和其他与 Azure AD 集成的 SaaS 应用程序的方式相同),而无需使用 VPN 或更改网络基础结构。End users can then access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD, without the need for a VPN or for changing the network infrastructure.

实现本解决方案的方式How to implement this solution

以下步骤介绍之前讨论的实现每个 Azure AD 功能的方法。The following steps describe how to implement each Azure AD capability previously discussed. 每个链接表示一组不同的文章,其中包含要在组织中实现的一组不同的说明/步骤:Each link represents a different set of articles with a different set of instructions/steps to be implemented in your organization:

  1. 使用应用程序代理启用单一登录。Enable single sign-on with application proxy.
  2. 提供对本地应用程序的安全远程访问。Provide secure remote access to on-premises applications.
  3. 将自己的应用引入 Azure AD。Bring your own apps to Azure AD.

其他资源Additional resources