使用 Microsoft Graph API 自动化基于 SAML 的 SSO 应用配置Automate SAML-based SSO app configuration with Microsoft Graph API

在本文中,您将学习如何从 Azure Active Directory(Azure AD)库中创建和配置应用程序。In this article, you'll learn how to create and configure an application from the Azure Active Directory (Azure AD) Gallery. 本文使用 AWS 作为示例,但可以针对 Azure AD 库中的任何基于 SAML 的应用使用本文中的步骤。This article uses AWS as an example, but you can use the steps in this article for any SAML-based app in the Azure AD Gallery.

使用 Microsoft Graph API 来自动配置基于 SAML 的单一登录的步骤Steps to use Microsoft Graph APIs to automate configuration of SAML-based single sign-on

步骤Step 详细信息Details
1. 创建库应用程序1. Create the gallery application 登录到 API 客户端Sign in to the API client
检索库应用Retrieve the gallery application
创建库应用程序Create the gallery application
2. 配置单一登录2. Configure single sign-on 检索应用对象 ID 和服务主体对象 IDRetrieve app object ID and service principal object ID
设置单一登录模式Set single sign-on mode
设置基本 SAML URL、例如标识符、回复 URL、登录 URLSet basic SAML URLs such as identifier, reply URL, sign-on URL
添加应用程序角色(可选)Add app roles (Optional)
3. 配置声明映射3. Configure claims mapping 创建声明映射策略Create claims mapping policy
向服务主体分配声明映射策略Assign claims mapping policy to service principal
4. 配置签名证书4. Configure signing certificate 创建证书Create a certificate
添加自定义签名密钥Add a custom signing key
激活自定义签名密钥Activate the custom signing key
5. 分配用户5. Assign users 向应用程序分配用户和组Assign users and groups to the application
6. 配置应用程序端6. Configure the application side 获取 Azure AD SAML 元数据Get Azure AD SAML metadata

文章中使用的所有 API 列表List of all APIs used in the article

请确保你具有相应的权限来调用以下 API。Make sure you have the corresponding permissions to call the following APIs.

资源类型Resource type 方法Method
applicationTemplateapplicationTemplate 列出 applicationTemplateList applicationTemplate
实例化 applicationTemplateInstantiate applicationTemplate
servicePrincipalsservicePrincipals 更新 servicePrincipalUpdate servicePrincipal
创建 appRoleAssignmentsCreate appRoleAssignments
分配 claimsMappingPoliciesAssign claimsMappingPolicies
applicationsapplications 更新应用程序Update application
claimsMappingPolicyclaimsMappingPolicy 创建 claimsMappingPolicyCreate claimsMappingPolicy

备注

本文中所示的响应对象可能会被缩短以提高可读性。The response objects shown in this article might be shortened for readability. 所有属性都是从实际调用返回。All the properties will be returned from an actual call.

  1. 启动 Microsoft Graph 浏览器Start Microsoft Graph Explorer.
  2. 选择使用 Microsoft 登录,然后使用 Azure AD 全局管理员或 App Admin 凭据登录。Select Sign-In with Microsoft and sign in using an Azure AD global administrator or App Admin credentials.
  3. 成功登录后,将在左侧窗格中看到用户帐户详细信息。Upon successful sign-in, you'll see the user account details in the left-hand pane.

Azure AD 应用程序库中的每个应用程序都有一个应用程序模板,用于描述该应用程序的元数据。Applications in the Azure AD application gallery each have an application template that describes the metadata for that application. 使用此模板,可以在租户中创建应用程序和服务主体的实例以进行管理。Using this template, you can create an instance of the application and service principal in your tenant for management.

请求Request

GET https://graph.microsoft.com/beta/applicationTemplates

响应Response

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
  {
    "id": "8b1025e4-1dd2-430b-a150-2ef79cd700f5",
        "displayName": "Amazon Web Services (AWS)",
        "homePageUrl": "http://aws.amazon.com/",
        "supportedSingleSignOnModes": [
             "password",
             "saml",
             "external"
         ],
         "supportedProvisioningTypes": [
             "sync"
         ],
         "logoUrl": "https://az495088.vo.msecnd.net/app-logo/aws_215.png",
         "categories": [
             "developerServices"
         ],
         "publisher": "Amazon",
         "description": null    
  
}

使用在上一步中为应用程序检索的模板ID,在租户中为应用和服务主题创建实例Using the template ID that you retrieved for your application in the last step, create an instance of the application and service principal in your tenant.

备注

可以使用 applicationTemplate API 实例化非库应用程序You can use applicationTemplate API to instantiate Non-Gallery apps. 使用 applicationTemplateId 8adf8e6e-67b2-4cf2-a259-e3dc5476c621Use applicationTemplateId 8adf8e6e-67b2-4cf2-a259-e3dc5476c621.

备注

留出一些时间将应用程序配置到 Azure AD 租户中。Allow some time for the app to be provisioned into your Azure AD tenant. 这不是即时的。It is not instant. 一种策略是每 5-10秒 对应用程序/服务主体对象执行 GET 查询,直到查询成功。One strategy is to do a GET query on the application / service principal object every 5-10 seconds until the query is successful.

请求Request

POST https://graph.microsoft.com/beta/applicationTemplates/8b1025e4-1dd2-430b-a150-2ef79cd700f5/instantiate
Content-type: application/json

{
  "displayName": "AWS Contoso"
}

响应Response

HTTP/1.1 201 OK
Content-type: application/json


{
    "application": {
        "objectId": "cbc071a6-0fa5-4859-8g55-e983ef63df63",
        "appId": "92653dd4-aa3a-3323-80cf-e8cfefcc8d5d",
        "applicationTemplateId": "8b1025e4-1dd2-430b-a150-2ef79cd700f5",
        "displayName": "AWS Contoso",
        "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z",
        "replyUrls": [
            "https://signin.aws.amazon.com/saml"
        ],
        "logoutUrl": null,
        "samlMetadataUrl": null,
    },
    "servicePrincipal": {
        "objectId": "f47a6776-bca7-4f2e-bc6c-eec59d058e3e",
        "appDisplayName": "AWS Contoso",
        "applicationTemplateId": "8b1025e4-1dd2-430b-a150-2ef79cd700f5",
        "appRoleAssignmentRequired": true,
        "displayName": "My custom name",
        "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z",
        "replyUrls": [
            "https://signin.aws.amazon.com/saml"
        ],
        "servicePrincipalNames": [
            "93653dd4-aa3a-4323-80cf-e8cfefcc8d7d"
        ],
        "tags": [
            "WindowsAzureActiveDirectoryIntegratedApp"
        ],
    }
}

第 2 步:配置单一登录Step 2: Configure single sign-on

检索应用对象 ID 和服务主体对象 IDRetrieve app object ID and service principal object ID

使用上一次调用的响应检索并保存应用程序对象 ID 和服务主体对象 ID。Use the response from the previous call to retrieve and save the application object ID and service principal object ID.

"application": {
        "objectId": "cbc071a6-0fa5-4859-8g55-e983ef63df63"
}
"servicePrincipal": {
        "objectId": "f47a6776-bca7-4f2e-bc6c-eec59d058e3e"
}

设置单一登录模式Set single sign-on mode

在此示例中,将在 servicePrincipal 资源类型中将 saml 设置为单一登录模式。In this example, you'll set saml as the single sign-on mode in the servicePrincipal resource type. 可以配置的其他 SAML SSO 属性是:notificationEmailAddressesloginUrl、和 samlSingleSignOnSettings.relayStateOther SAML SSO properties that you can configure are: notificationEmailAddresses, loginUrl, and samlSingleSignOnSettings.relayState.

在此查询生效之前,需要在 Graph Explorer 中的修改权限选项卡上表示同意。Before this query will work you need to provide consent on the Modify permissions tab in Graph Explorer. 另外,请确保你使用的是先前获得的 servicePrincipal ID。Also, make sure you are using the servicePrincipal ID that you obtained earlier.

请求Request

PATCH https://graph.microsoft.com/beta/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e
Content-type: servicePrincipal/json

{
    "preferredSingleSignOnMode": "saml"
}

响应Response

HTTP/1.1 204

设置基本 SAML URL、例如标识符、回复 URL、登录 URLSet basic SAML URLs such as identifier, reply URL, sign-on URL

在应用程序对象中设置 AWS 的标识符并回复 URL。Set the identifier and reply URLs for AWS in the application object.

请确保你使用的是之前获取的 application id。Make sure you are using the application id obtained earlier.

请求Request

PATCH https://graph.microsoft.com/beta/applications/cbc071a6-0fa5-4859-8g55-e983ef63df63
Content-type: applications/json

{
    "web": {
        "redirectUris": [
            "https://signin.aws.amazon.com/saml"
        ] 
    },
    "identifierUris": [
        "https://signin.aws.amazon.com/saml"
    ]    
}

响应Response

HTTP/1.1 204

添加应用程序角色(可选)Add app roles (Optional)

如果应用程序需要令牌中的角色信息,请在应用程序对象中添加角色的定义。If the application requires the role information in the token, add the definition of the roles in the application object. 对于 AWS,可以启用用户配置以从该 AWS 账户获取所有角色。For AWS, you can enable user provisioning to fetch all the roles from that AWS account.

有关详细信息,请参阅配置 SAML 令牌中颁发的角色声明For more information, see Configure the role claim issued in the SAML token.

备注

添加应用程序角色时,请勿修改默认应用程序角色 msiam_access。When adding app roles, don't modify the default app roles msiam_access.

请求Request

PATCH https://graph.microsoft.com/beta/serviceprincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e
Content-type: serviceprincipals/json

{
"appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "7dfd756e-8c27-4472-b2b7-38c17fc5de5e",
            "isEnabled": true,
            "origin": "Application",
            "value": null
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Admin,WAAD",
            "displayName": "Admin,WAAD",
            "id": "454dc4c2-8176-498e-99df-8c4efcde41ef",
            "isEnabled": true,
            "value": "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Finance,WAAD",
            "displayName": "Finance,WAAD",
            "id": "8642d5fa-18a3-4245-ab8c-a96000c1a217",
            "isEnabled": true,
            "value": "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
        }
    ]

}

响应Response

HTTP/1.1 204

第 3 步:配置声明映射Step 3: Configure claims mapping

创建声明映射策略Create claims mapping policy

除了基本声明之外,还为 Azure AD 配置以下声明以在 SAML 令牌中发出:In addition to the basic claims, configure the following claims for Azure AD to emit in the SAML token:

声明名称Claim name Source
https://aws.amazon.com/SAML/Attributes/Role assignedrolesassignedroles
https://aws.amazon.com/SAML/Attributes/RoleSessionName userprincipalnameuserprincipalname
https://aws.amazon.com/SAML/Attributes/SessionDuration "900""900"
rolesroles assignedrolesassignedroles
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier userprincipalnameuserprincipalname

有关更多信息,请参阅自定义令牌中发出的声明For more information, see Customize claims emitted in token.

备注

声明映射策略中的某些项区分大小写(例如“Version”)。Some keys in the claims mapping policy are case sensitive (for example, "Version"). 如果收到错误消息,例如“属性的值无效”,则可能是区分大小写的问题。If you receive an error message such as "Property has an invalid value", it might be a case sensitive issue.

请求Request

POST https://graph.microsoft.com/beta/policies/claimsMappingPolicies
Content-type: claimsMappingPolicies/json

{
    "definition": [
        "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Source\":\"user\",\"ID\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
    ],
    "displayName": "AWS Claims Policy",
    "isOrganizationDefault": false
}

响应Response

HTTP/1.1 201 OK
Content-type: claimsMappingPolicies/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/claimsMappingPolicies/$entity",
    "id": "a7b19e62-9adb-4edb-8521-cd35305f095d",
    "deletedDateTime": null,
    "definition": [
        "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Source\":\"user\",\"ID\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
    ],
    "displayName": "AWS Claims Policy",
    "isOrganizationDefault": false
}

向服务主体分配声明映射策略Assign claims mapping policy to service principal

请求Request

POST https://graph.microsoft.com/beta/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e/claimsMappingPolicies/$ref

Content-type: claimsMappingPolicies/json

{
  "@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/6b33aa8e-51f3-41a6-a0fd-d660d276197a"
}

响应Response

HTTP/1.1 204

第 4 步:配置签名证书Step 4: Configure signing certificate

默认情况下,使用 applicationTemplate API 无法创建签名证书。Using the applicationTemplate API doesn't create a signing certificate by default. 创建自定义签名证书并将其分配给应用程序。Create your custom signing cert and assign it to the application.

创建自定义签名证书Create a custom signing certificate

要进行测试,可以使用以下 PowerShell 命令获取自签名证书。To test, you can use the following PowerShell command to get a self-signed certificate. 然后需要使用其他工具手动操作和提取所需的值。You will then need to manipulate and pull the values you need manually using other tools. 使用公司的最佳安全实践,创建用于生产的签名证书。Use the best security practice from your company to create a signing certificate for production.

Param(
    [Parameter(Mandatory=$true)]
    [string]$fqdn,
    [Parameter(Mandatory=$true)]
    [string]$pwd,
    [Parameter(Mandatory=$true)]
    [string]$location
) 

if (!$PSBoundParameters.ContainsKey('location'))
{
    $location = "."
} 

$cert = New-SelfSignedCertificate -certstorelocation cert:\currentuser\my -DnsName $fqdn
$pwdSecure = ConvertTo-SecureString -String $pwd -Force -AsPlainText
$path = 'cert:\currentuser\my\' + $cert.Thumbprint
$cerFile = $location + "\\" + $fqdn + ".cer"
$pfxFile = $location + "\\" + $fqdn + ".pfx" 

Export-PfxCertificate -cert $path -FilePath $pfxFile -Password $pwdSecure
Export-Certificate -cert $path -FilePath $cerFile

或者,可以将以下 C# 控制台应用程序用作概念证明,以了解如何获取所需的值。Alternatively, the following C# console app can be used as a Proof of Concept to understand how the required values can be obtained. 请注意,该代码仅用于学习和参考,不应在生产中直接使用。Note that this code is for learning and reference ONLY and should not be used as-is in production.

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;


/* CONSOLE APP - PROOF OF CONCEPT CODE ONLY!!
 * This code uses a self signed certificate and should not be used 
 * in production. This code is for reference and learning ONLY.
 */
namespace Self_signed_cert
{
    class Program
    {
        static void Main(string[] args)
        {
            // Generate a guid to use as a password and then create the cert.
            string password = Guid.NewGuid().ToString();
            var selfsignedCert = buildSelfSignedServerCertificate(password);

            // Print values so we can copy paste into the JSON fields.
            // Print out the private key in base64 format.
            Console.WriteLine("Private Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Pfx, password)), Environment.NewLine);

            // Print out the start date in ISO 8601 format.
            DateTime startDate = DateTime.Parse(selfsignedCert.GetEffectiveDateString()).ToUniversalTime();
            Console.WriteLine("For All startDateTime: " + startDate.ToString("o"));

            // Print out the end date in ISO 8601 format.
            DateTime endDate = DateTime.Parse(selfsignedCert.GetExpirationDateString()).ToUniversalTime();
            Console.WriteLine("For All endDateTime: " + endDate.ToString("o"));

            // Print the GUID used for keyId
            string signAndPasswordGuid = Guid.NewGuid().ToString();
            string verifyGuid = Guid.NewGuid().ToString();
            Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Sign and passwordCredentials: " + signAndPasswordGuid);
            Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Verify: " + verifyGuid);

            // Print out the password.
            Console.WriteLine("Password is: {0}", password);

            // Print out a displayName to use as an example.
            Console.WriteLine("displayName to use: CN=Example");
            Console.WriteLine();

            // Print out the public key.
            Console.WriteLine("Public Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Cert)), Environment.NewLine);
            Console.WriteLine();

            // Generate the customKeyIdentifier using hash of thumbprint.
            Console.WriteLine("You can generate the customKeyIdentifier by getting the SHA256 hash of the certs thumprint.\nThe certs thumbprint is: {0}{1}", selfsignedCert.Thumbprint, Environment.NewLine);
            Console.WriteLine("The hash of the thumbprint that we will use for customeKeyIdentifier is:");
            string keyIdentifier = GetSha256FromThumbprint(selfsignedCert.Thumbprint);
            Console.WriteLine(keyIdentifier);
        }

        // Generate a self-signed certificate.
        private static X509Certificate2 buildSelfSignedServerCertificate(string password)
        {
            const string CertificateName = @"Microsoft Azure Federated SSO Certificate TEST";
            DateTime certificateStartDate = DateTime.UtcNow;
            DateTime certificateEndDate = certificateStartDate.AddYears(2).ToUniversalTime();

            X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");

            using (RSA rsa = RSA.Create(2048))
            {
                var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

                request.CertificateExtensions.Add(
                    new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));

                var certificate = request.CreateSelfSigned(new DateTimeOffset(certificateStartDate), new DateTimeOffset(certificateEndDate));
                certificate.FriendlyName = CertificateName;

                return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable);
            }
        }

        // Generate hash from thumbprint.
        public static string GetSha256FromThumbprint(string thumbprint)
        {
            var message = Encoding.ASCII.GetBytes(thumbprint);
            SHA256Managed hashString = new SHA256Managed();
            return Convert.ToBase64String(hashString.ComputeHash(message));
        }
    }
}

添加自定义签名密钥Add a custom signing key

向服务主体添加以下信息:Add the following information to the service principal:

  • 私钥Private key
  • 密码Password
  • 公钥Public key

从PFX文件中提取 Base64 编码公钥和私钥。Extract the private and public key Base64 encoded from the PFX file. 要了解有关属性的更多信息,请参阅 keyCredential 资源类型To learn more about the properties, see keyCredential resource type.

确保用于“签名”的 keyCredential 的keyId 与 passwordCredential 的 keyId 相匹配。Make sure that the keyId for the keyCredential used for "Sign" matches the keyId of the passwordCredential. 可以通过获取证书指纹的哈希值来生成 customkeyIdentifierYou can generate the customkeyIdentifier by getting the hash of the cert's thumbprint. 请参阅前面的 C# 参考代码。See the previous C# reference code.

请求Request

备注

为了提高可读性,keyCredentials 属性中的“项”值被缩短。The "key" value in the keyCredentials property is shortened for readability. 该值为 base 64 编码。The value is base 64 encoded. 对于私钥,属性 usage 是“签名”。For the private key the property usage is "Sign". 对于公钥,属性 usage 是“验证”。For the public key the property usage is "Verify".

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e

Content-type: servicePrincipals/json

{
    "keyCredentials":[
        {
            "customKeyIdentifier": "lY85bR8r6yWTW6jnciNEONwlVhDyiQjdVLgPDnkI5mA=",
            "endDateTime": "2021-04-22T22:10:13Z",
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
            "startDateTime": "2020-04-22T21:50:13Z",
            "type": "X509CertAndPassword",
            "usage": "Sign",
            "key":"MIIKIAIBAz.....HBgUrDgMCERE20nuTptI9MEFCh2Ih2jaaLZBZGeZBRFVNXeZmAAgIH0A==",
            "displayName": "CN=awsAPI"
        },
        {
            "customKeyIdentifier": "lY85bR8r6yWTW6jnciNEONwlVhDyiQjdVLgPDnkI5mA=",
            "endDateTime": "2021-04-22T22:10:13Z",
            "keyId": "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42",
            "startDateTime": "2020-04-22T21:50:13Z",
            "type": "AsymmetricX509Cert",
            "usage": "Verify",
            "key": "MIIDJzCCAg+gAw......CTxQvJ/zN3bafeesMSueR83hlCSyg==",
            "displayName": "CN=awsAPI"
        }

    ],
    "passwordCredentials": [
        {
            "customKeyIdentifier": "lY85bR8r6yWTW6jnciNEONwlVhDyiQjdVLgPDnkI5mA=",
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
            "endDateTime": "2022-01-27T19:40:33Z",
            "startDateTime": "2020-04-20T19:40:33Z",
            "secretText": "61891f4ee44d"
        }
    ]
}

响应Response

HTTP/1.1 204

激活自定义签名密钥Activate the custom signing key

需要将 preferredTokenSigningKeyThumbprint 属性设置为想要 Azure AD 用于签署 SAML 响应的证书的指纹。You need to set the preferredTokenSigningKeyThumbprint property to the thumbprint of the certificate you want Azure AD to use to sign the SAML response.

请求Request

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e

Content-type: servicePrincipals/json

{
    "preferredTokenSigningKeyThumbprint": "AC09FEF18DDE6983EE2A164FBA3C4DD7518BD787"
}

响应Response

HTTP/1.1 204

第 5 步:分配用户Step 5: Assign users

向应用程序分配用户和组Assign users and groups to the application

将以下用户分配给服务主体,然后分配 AWS_Role1。Assign the following user to the service principal and assign the AWS_Role1.

名称Name IDID
用户 ID (principalId)User ID (principalId) 6cad4079-4e79-4a3f-9efb-ea30a14bdb266cad4079-4e79-4a3f-9efb-ea30a14bdb26
类型(PrincipalType)Type (principalType) 用户User
应用程序角色 ID (appRoleId)App role ID (appRoleId) 454dc4c2-8176-498e-99df-8c4efcde41ef454dc4c2-8176-498e-99df-8c4efcde41ef
servicePrincipalID (resourceId)servicePrincipalID (resourceId) f47a6776-bca7-4f2e-bc6c-eec59d058e3ef47a6776-bca7-4f2e-bc6c-eec59d058e3e

请求Request

POST https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e/appRoleAssignments

Content-type: appRoleAssignments/json

{
  "principalId": "6cad4079-4e79-4a3f-9efb-ea30a14bdb26",
  "principalType": "User",
  "appRoleId":"454dc4c2-8176-498e-99df-8c4efcde41ef",
  "resourceId":"f47a6776-bca7-4f2e-bc6c-eec59d058e3e"
}

响应Response

HTTP/1.1 201 
Content-type: appRoleAssignments/json

{
    "id": "rq7hyzl4yECaNZleMrTpDV-OCe5TEl5Ao_o76XMrRFU",
    "creationTimestamp": "2020-04-23T17:38:13.2508567Z",
    "appRoleId": "454dc4c2-8176-498e-99df-8c4efcde41ef",
    "principalDisplayName": "User 1",
    "principalId": "6cad4079-4e79-4a3f-9efb-ea30a14bdb26",
    "principalType": "User",
    "resourceDisplayName": "AWS API Created",
    "resourceId": "f47a6776-bca7-4f2e-bc6c-eec59d058e3e"
}

有关详细信息,请参阅 appRoleAssignmentFor more information, see appRoleAssignment.

第 6 步:配置应用程序端Step 6: Configure the application side

获取 Azure AD SAML 元数据Get Azure AD SAML metadata

使用以下 URL 获取特定配置的应用程序的 Azure AD SAML 元数据。Use the following URL to get the Azure AD SAML metadata for the specific configured application. 元数据包含诸如签名证书、Azure AD entityID和 Azure AD SingleSignOnService 等信息。The metadata contains information such as the signing certificate, Azure AD entityID, and Azure AD SingleSignOnService, among others.

https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={app-id}

后续步骤Next steps